BBN Curveball

Disguising secure communications as ordinary web traffic

Curveball Features

  • Communications appear to be ordinary web traffic

  • True content and destination of communications are securely disguised

  • All communications are fully encrypted

  • Supports all standard network application protocols, including web browsing, VoIP, VNC, video chat, and file transfer

  • Supported on Windows, Android, Linux, and MacOS X

  • Access limited to holders of a personal secret key

  • Uses HTTP and HTTPS connections

  • Works with both symmetric and asymmetric routes

  • A single Curveball router can cover millions of routes

  • Multiple Curveball installations can run side-by-side without interference

  • Web sites do not require any configuration or software to work with Curveball

Security Risks in Monitored Environments

Secure and timely communication is essential to situational awareness, tactical decisions, and strategic planning. Current long-range communication mechanisms used by US forces and their allies conducting operations in a highly monitored environment are not adequately secure; they can be detected, traced, or disrupted. Special-purpose communications equipment, such as military radios, have identifiable RF signatures that reveal their presence and location to a third party. A stealthier way to avoid detection is to look like everyone elseā€”that is, use the same commercial devices and Internet communications infrastructure that the local population uses but in such a way that a third party cannot detect the communication or discover its true destination or content.

The Curveball solution

BBN's Curveball project, under the DARPA SAFER Warfighter Communications program, seeks to solve the problem of secure and undetectable communications in a monitored environment. The Curveball project has developed software that runs on commercial smartphones and laptops, and software that runs on routers in the network, that disguise secure communications as ordinary web traffic. Using Curveball, users can securely communicate with each other or their command and control and access social intelligence sources such as Twitter or Facebook. A third party attempting to detect or monitor Curveball traffic sees traffic that appears to be to and from innocuous web sites, such as game, sporting news, or e-commerce sites.

Decoy Routing

Curveball provides security by hiding in plain sight. Curveball uses ordinary, commodity devices over standard, widely-used protocols, to make what appear to be connections to popular, innocuous web sites. What really happens is that Curveball uses decoy routing to securely disguise the true destination and content of the covert connections. A third party can neither detect the true destination of a Curveball connection nor intercept the data being sent over the connection. To a network monitor, connections created by Curveball users appear to be unremarkable connections to unremarkable web sites.

How Curveball Works

To create a Curveball connection, the Curveball user opens a connection to a web site using a standard web protocol. Once connected, the Curveball software embeds a cryptographically-secure signal within its messages to that web site. This signal is generated from a user's personal secret key to assure the user's authority to use Curveball.

When the connection passes through a router on the open Internet that is running the Curveball software, that router detects the signal and initiates a cryptographically-secure handshake with the Curveball user. Ordinary routers or other third parties cannot detect or decode these signals or the handshake. When the handshake is complete, the user can tunnel any protocol (e.g., Skype, VoIP, VPN, HTTP, or HTTPS) through the Curveball connection and therefore has the ability to access any web site or network resource on the open Internet. All standard network applications can use Curveball without modification.

Stealth Operation

Curveball is difficult to detect or block because, unlike contemporary circumvention systems, it does not require the user to connect to a specific proxy site or use an unusual protocol. If a third party can discover the location of the specific proxy service, it can block, monitor, or, in some cases, spoof the proxy. Similarly, if a third party blocks or monitors uncommon protocols on its network, then protocols that cannot masquerade as common protocols will be defeated. In contrast, Curveball cannot be blocked without blocking the Internet itself: any route through a Curveball router makes every site outside the monitored network accessible.

Contact us

To contact the BBN Curveball team, or to be added to our mailing list for future announcements, please reach us at <bbn-curveball-question at bbn dot com>. We will not share your email address with any third party.


Visit the Errata page for updates to the release notes and instructions for building, installing, configuring, and running BBN Curveball.



The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.
Distribution Statement A – Approved for Public Release, Distribution Unlimited.

Copyright 2014-2016 – Raytheon BBN Technologies Corp. – All rights reserved