Statelessness introduces some new security issues that are addressed with the following techniques.
Protect continuations with MACs
With continuation passing, state no longer resides safely on the server. The client, or an attacker, could attack this state, for instance, to manipulate the congestion window. We protect each continuation with a standard, tamper resistent MAC.
Encrypt confidential information
Continuation state may contain sensitive information, such as the SSL keys for a session. Trickles encrypts this information with symmetric encryption to hide it from eavesdroppers or clients.
Keep recent history to prevent replays
A fully stateless system is inherently vulnerable to replay attacks, since the server forgets which packets it has seen. Instead, we use a constant amount of state, independent of the number of connections, to store recent packet history in a hash table. Incoming packets that match recently seen packets are ignored. Freshness is enforced on packets: each packet is timestamped, and packets older than a particular timeout are dropped. Thus, old packets are not needed in the packet history, and hence the history is purged periodically to limit its size.
Efficient range nonce mechanism with constant time range checks
Congestion control algorithms can be manipulated via the client-supplied input, such as the recent loss history. Trickles protects against this by protecting the selective acknowledgments (SACKs) sent by the clients with a novel range nonce scheme.
The range nonce scheme is an extension of the standard per-packet nonce technique. The server attaches a nonce to each packet sent to the client; the nonce is only revealed to the client if it actually receives the packet.
For packet i, generate a nonce pi from a secret sequence rj as follows, and attach it to the packet:
Now, when the client acknowledges a contiguous range of packets in a SACK, it attaches a range nonce computed as the XOR of all packets in the range. By construction, most of the terms cancel out, leaving the range nonce equivalent to the XOR of just two points in the original secret sequence. Thus, ranges of arbitrary length can be checked in constant time.
= (r1 r2) (r2 r3 ) ... (rn-1 rn ) (rn rn+1)
= r1 rn+1
Denial-of-service attacks targeting the CPU
Each packet sent to a Trickles server contains a transport continuation with an embedded MAC. Prior to processing the continuation, the server checks the MAC to verify the continuation's validity. While this verification increases Trickles's CPU utilization relative to TCP, Trickles is capable of processing client requests at line speeds. Any attack targeting Trickles CPU utilization would require an attacker capable of launching high bandwidth attacks, and also heavily load a TCP implementation.