Pervasive Internet-Wide Low-Latency Authentication

摘要

In a world with increasing simplicity to store, transfer, and analyze large volumes of data, it becomes more and more important that data confidentiality and integrity be preserved in transit by default. Unfortunately, a large security gap exists between unprotected or low-security communication, such as opportunistic encryption and trust-on-first-use (TOFU) security, and high-security communication, such as TLS using server certificates or DNSSEC. Our goal is to reduce this gap and achieve a base layer for authentication and secrecy that is strictly better than TOFU security. We achieve this by designing PILA, a novel authentication method with dynamic trust anchors, which leverages irrefutable cryptographic proof of misbehavior to incentivize benign behavior. We implement PILA extensions for SSH, TLS, and DNS and show that the overhead for a typical SSH and TLS connection establishment is negligible, and that PILA only causes a marginal processing overhead of $sim 100 mu mathrm{s}$ per DNS response at the endpoints.