Packet Level Authentication Overview



Similar documents
Mobility research group

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Content Teaching Academy at James Madison University

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Chapter 10. Network Security

Current and Future Research into Network Security Prof. Madjid Merabti

Protocol Security Where?

Securing IP Networks with Implementation of IPv6

Cisco Which VPN Solution is Right for You?

Chapter 9. IP Secure

Mobile Office Security Requirements for the Mobile Office

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Bit Chat: A Peer-to-Peer Instant Messenger

Protecting Critical Information Infrastructures

DNS security: poisoning, attacks and mitigation

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Security Policy Revision Date: 23 April 2009

Virtual Private Networks

High Performance VPN Solutions Over Satellite Networks

A very short history of networking

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Protocol Rollback and Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

Firewalls P+S Linux Router & Firewall 2013

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

Chapter 5. Simple Ad hoc Key Management. 5.1 Introduction

COSC 472 Network Security

Steelcape Product Overview and Functional Description

ITL BULLETIN FOR JANUARY 2011

Secured VPN Models for LTE Backhaul Networks

CS 4803 Computer and Network Security

White Paper. Enhancing Website Security with Algorithm Agility

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Security in Wireless Local Area Network

ETHERNET WAN ENCRYPTION SOLUTIONS COMPARED

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

IPv6 First Hop Security Protecting Your IPv6 Access Network

Cornerstones of Security

Tomás P. de Miguel DIT-UPM. dit UPM

Recommended Wireless Local Area Network Architecture

Study on Remote Access for Library Based on SSL VPN

Network Access Security. Lesson 10

Analysis of IP Network for different Quality of Service

How To Secure My Data

Securing an IP SAN. Application Brief

Cross-layer security and resilience in wireless mesh networks

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Security vulnerabilities in the Internet and possible solutions

Sectra Communications ensuring security with flexibility

Report to WIPO SCIT Plenary Trilateral Secure Virtual Private Network Primer. February 3, 1999

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

TCP and Wireless Networks Classical Approaches Optimizations TCP for 2.5G/3G Systems. Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

SEC , Cisco Systems, Inc. All rights reserved.

Intro to Firewalls. Summary

TCP for Wireless Networks

SANE: A Protection Architecture For Enterprise Networks

Computer Networks. Secure Systems

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Introduction to Security and PIX Firewall

Crypho Security Whitepaper

10 Secure Electronic Transactions: Overview, Capabilities, and Current Status

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Information Security

Client Server Registration Protocol

Site to Site Virtual Private Networks (VPNs):

VoIP QoS. Version 1.0. September 4, AdvancedVoIP.com. Phone:

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Mobile Communications Chapter 9: Mobile Transport Layer

SSL BEST PRACTICES OVERVIEW

Network Security Part II: Standards

VOICE OVER IP (VOIP) TO ENTERPRISE USERS GIOTIS KONSTANTINOS

VPN. Date: 4/15/2004 By: Heena Patel

Internet Privacy Options

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Overview. SSL Cryptography Overview CHAPTER 1

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Link Layer and Network Layer Security for Wireless Networks

CS 494/594 Computer and Network Security

PAVING THE PATH TO THE ELIMINATION OF THE TRADITIONAL DMZ

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Secure Sockets Layer

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Wireless Security Overview. Ann Geyer Partner, Tunitas Group Chair, Mobile Healthcare Alliance

Secure Network Design: Designing a DMZ & VPN

LIST OF FIGURES. Figure No. Caption Page No.

Multidomain Network Based on Programmable Networks: Security Architecture

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

What would you like to protect?

Lecture Objectives. Lecture 07 Mobile Networks: TCP in Wireless Networks. Agenda. TCP Flow Control. Flow Control Can Limit Throughput (1)

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Transcription:

Packet Level Authentication Overview Dmitrij Lagutin, Dmitrij.Lagutin@hiit.fi Helsinki Institute for Information Technology HIIT Aalto University School of Science and Technology

Contents Introduction Packet Level Authentication architecture Implementation and Applications of Packet Level Authentication PLA and HIP Conclusions 2

Introduction Internet is currently very insecure Attacks (DDoS, SPAM, etc.) are easy to launch Anyone can freely send data to any destination Attacks are difficult to stop and mitigate Firewalls can only block the traffic near the destination Practically impossible to distinguish valid traffic from unwanted one Culprits are rarely caught No accountability 3

Introduction: main security problems To protect the network against various attacks both endto-end and hop-by-hop security solutions are necessary End-to-end solutions protect the communication end points. They are not effective if the underlying network infrastructure is attacked and is unable to deliver packets Example: A server protected by firewall and HIP/IPSec will not able function if a denial-of-service attack chokes ISPs bandwidth After the network infrastructure has been protected, endto-end solutions can secure end-points and services efficiently 4

Packet Level Authentication (PLA) PLA is a novel method for securing the network infrastructure and providing availability on the network layer PLA is based on assumption that public key cryptography can be used to digitally sign large dataflows Using new public key cryptography algorithms which allow small key sizes compared to, e.g., RSA Using dedicated ASICs to accelerate cryptographic operations up to a speed of millions of verifications per second 5

Packet Level Authentication Paper currency contains built-in security measures (watermark, hologram), there is no need to contact the bank to verify bill's authenticity Similarly, PLA allows any node to verify authenticity of any packet without having any kind of trust association with the sender of the packet Modified, delayed and duplicated packets can be detected and discarded quickly before they can cause damage or consume resources in the rest of the network PLA complements existing security solutions instead of replacing them. PLA can work together with other security solutions like HIP and IPSec 6

Packet Level Authentication PLA offers protection on two layers PLA header added to each packet protects the packet through a cryptographic signature => invalid or unwanted traffic can be detected and discarded at the next hop Trusted third parties (TTPs) offer a trust management mechanism, they are equivalent of traditional certificate authorities Binds the user's cryptographic identity with a real one => accountability Authorizes the user to use the network => malicious nodes can be removed from the network 7

Example PLA architecture 8

PLA Header 9

PLA Header Signature by sender's private key together with a sender's public key are used to check authenticity of the packet Trusted third party (TTP) certificate authorizes the sender Timestamp is used to detect delayed packets which may be a sign of a replay attack Monotonically increasing sequence number is used to detect duplicated packets 10

PLA implementation and cryptographic solutions PLA software implementation exists for Linux and FreeBSD Elliptic curve cryptography (ECC) is used due to its compact keys. A 163-bit ECC key that is used with PLA is as strong as a 1024-bit RSA key The total size of the PLA header is about 1000 bits Simulations have shown that an unoptimized 90nm ASIC based on the FPGA could verify about 4Gbps of traffic Performance can be further improved by using optimized ASICs manufactured on a modern manufacturing process, jumbo frames, or not verifying every packet at every node Therefore, with a hardware acceleration PLA is scalable to 40Gbps and future 100Gbps interfaces 11

Applications of PLA Strong security mechanisms offered by PLA can also be utilized for other tasks, for example: Using PLA, it is possible to built a system where incoming connections are blocked by default unless explicitly allowed The sequence number that is present in the PLA header can be used for per packet or per bandwidth billing TTP certificate mechanism can also be used for user authentication (i.e., wireless LAN authentication) and roaming 12

Deployment and other issues PLA uses standard IP header extension mechanisms, therefore it is compatible with standard IP networks, and can be deployed gradually Packet verification at each node is not compulsory Initially, PLA can be used to build a control plane to the Internet. TTP certificate mechanism can be used to distinguish various types of traffic Reasonable privacy can be maintained by using multiple cryptographic identities that act as a pseudonyms Wrongdoers will be caught using the TTP mechanism, but in a normal situation users will be anonymous to the network 13

PLA and HIP PLA and HIP complement each other PLA: hop-by-hop integrity protection, authorization HIP: confidentiality, end-to-end security PLA does not need a key exchange, or complex signaling First sent message already authenticates the sender Potential initial use cases: HICCUPS-like VoIP scenario User authentication during, e.g., handovers 14

Conclusions PLA is novel way to secure the network infrastructure, it gives to every node the ability to verify independently the authenticity of every packet PLA is compatible with existing IP networks and can be used together with other security solutions PLA can also be used for other tasks, such as secure billing and authentication PLA is scalable for high speed networks and low power devices as long as dedicated hardware is used for accelerating cryptographic operations 15

References General PLA architecture: http://www.tcs.hut.fi/software/pla/new/doc/lagutin-redesigning%20internet-the%20packet%20level%20authentication%20architecture.pdf Using PLA to control incoming connections http://www.springerlink.com/content/51h06845116j0167 Energy efficiency of PLA in wireless networks: http://www.springerlink.com/content/y60115lmu6374157/ Securing media independent handovers with PLA: http://doi.ieeecomputersociety.org/10.1109/wimob.2009.50 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information