Disguising secure communications as ordinary web traffic
Security Risks in Monitored Environments
Secure and timely communication is essential to situational awareness, tactical decisions, and strategic planning. Current long-range communication mechanisms used by US forces and their allies conducting operations in a highly monitored environment are not adequately secure; they can be detected, traced, or disrupted. Special-purpose communications equipment, such as military radios, have identifiable RF signatures that reveal their presence and location to a third party. A stealthier way to avoid detection is to look like everyone else—that is, use the same commercial devices and Internet communications infrastructure that the local population uses but in such a way that a third party cannot detect the communication or discover its true destination or content.
The Curveball solution
BBN's Curveball project, under the DARPA SAFER Warfighter Communications program, seeks to solve the problem of secure and undetectable communications in a monitored environment. The Curveball project has developed software that runs on commercial smartphones and laptops, and software that runs on routers in the network, that disguise secure communications as ordinary web traffic. Using Curveball, users can securely communicate with each other or their command and control and access social intelligence sources such as Twitter or Facebook. A third party attempting to detect or monitor Curveball traffic sees traffic that appears to be to and from innocuous web sites, such as game, sporting news, or e-commerce sites.
Curveball provides security by hiding in plain sight. Curveball uses ordinary, commodity devices over standard, widely-used protocols, to make what appear to be connections to popular, innocuous web sites. What really happens is that Curveball uses decoy routing to securely disguise the true destination and content of the covert connections. A third party can neither detect the true destination of a Curveball connection nor intercept the data being sent over the connection. To a network monitor, connections created by Curveball users appear to be unremarkable connections to unremarkable web sites.
How Curveball Works
To create a Curveball connection, the Curveball user opens a connection to a web site using a standard web protocol. Once connected, the Curveball software embeds a cryptographically-secure signal within its messages to that web site. This signal is generated from a user's personal secret key to assure the user's authority to use Curveball.
When the connection passes through a router on the open Internet that is running the Curveball software, that router detects the signal and initiates a cryptographically-secure handshake with the Curveball user. Ordinary routers or other third parties cannot detect or decode these signals or the handshake. When the handshake is complete, the user can tunnel any protocol (e.g., Skype, VoIP, VPN, HTTP, or HTTPS) through the Curveball connection and therefore has the ability to access any web site or network resource on the open Internet. All standard network applications can use Curveball without modification.
Curveball is difficult to detect or block because, unlike contemporary circumvention systems, it does not require the user to connect to a specific proxy site or use an unusual protocol. If a third party can discover the location of the specific proxy service, it can block, monitor, or, in some cases, spoof the proxy. Similarly, if a third party blocks or monitors uncommon protocols on its network, then protocols that cannot masquerade as common protocols will be defeated. In contrast, Curveball cannot be blocked without blocking the Internet itself: any route through a Curveball router makes every site outside the monitored network accessible.
To contact the BBN Curveball team, or to be added to our mailing list for future announcements, please reach us at <bbn-curveball-question at bbn dot com>. We will not share your email address with any third party.
Visit the Errata page for updates to the release notes and instructions for building, installing, configuring, and running BBN Curveball.
The views expressed are those of the author and do not reflect the official
policy or position of the Department of Defense or the U.S. Government.
Distribution Statement A – Approved for Public Release, Distribution Unlimited.
Copyright 2014-2016 – Raytheon BBN Technologies Corp. – All rights reserved