Key exchange with the help of a public ledger

Blockchains and other public ledger structures promise a new way to create globally consistent event logs and other records. We make use of this consistency property to detect and prevent man-in-the-middle attacks in a key exchange such as Diffie-Hellman or ECDH. Essentially, the MitM attack creates an inconsistency in the world views of the two honest parties, and they can detect it with the help of the ledger. Thus, there is no need for prior knowledge or trusted third parties apart from the distributed ledger. To prevent impersonation attacks, we require user interaction. It appears that, in some applications, the required user interaction is reduced in comparison to other user-assisted key-exchange protocols

A Comprehensive Survey of Voice over IP Security Research

We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems

Secure communication using dynamic VPN provisioning in an Inter-Cloud environment

Most of the current cloud computing platforms offer Infrastructure as a Service (IaaS) model, which aims to provision basic virtualised computing resources as on-demand and dynamic services. Nevertheless, a single cloud does not have limitless resources to offer to its users, hence the notion of an Inter-Cloud enviroment where a cloud can use the infrastructure resources of other clouds. However, there is no common framework in existence that allows the srevice owners to seamlessly provision even some basic services across multiple cloud service providers, albeit not due to any inherent incompatibility or proprietary nature of the foundation technologies on which these cloud platforms are built. In this paper we present a novel solution which aims to cover a gap in a subsection of this problem domain. Our solution offer a security architecture that enables service owners to provision a dynamic and service-oriented secure virtual private network on top of multiple cloud IaaS providers. It does this by leveraging the scalability, robustness and flexibility of peer- to-peer overlay techniques to eliminate the manual configuration, key management and peer churn problems encountered in setting up the secure communication channels dynamically, between different components of a typical service that is deployed on multiple clouds. We present the implementation details of our solution as well as experimental results carried out on two commercial clouds

Prospects of peer-to-peer SIP for mobile operators

Tämän diplomityön tarkoituksena on esitellä kehitteillä oleva Peer-to-Peer Session Initiation Protocol (P2PSIP), jonka avulla käyttäjät voivat itsenäisesti ja helposti luoda keskenään puhe- ja muita multimediayhteyksiä vertaisverkko-tekniikan avulla. Lisäksi tarkoituksena on arvioida P2PSIP protokollan vaikutuksia ja mahdollisuuksia mobiilioperaattoreille, joille sitä voidaan pitää uhkana. Tästä huolimatta, P2PSIP:n ei ole kuitenkaan tarkoitus korvata nykyisiä puhelinverkkoja. Työn alussa esittelemme SIP:n ja vertaisverkkojen (Peer-to-Peer) periaatteet, joihin P2PSIP-protokollan on suunniteltu perustuvan. SIP mahdollistaa multimedia-istuntojen luomisen, sulkemisen ja muokkaamisen verkossa, mutta sen monipuolinen käyttö vaatii keskitettyjen palvelimien käyttöä. Vertaisverkon avulla käyttäjät voivat suorittaa keskitettyjen palvelimien tehtävät keskenään hajautetusti. Tällöin voidaan ylläpitää laajojakin verkkoja tehokkaasti ilman palvelimista aiheutuvia ylläpito-kustannuksia. Mobiilioperaattorit ovat haasteellisen tilanteen edessä, koska teleliikennemaailma on muuttumassa yhä avoimemmaksi. Tällöin operaattoreiden asiakkaille aukeaa mahdollisuuksia käyttää kilpailevia Internet-palveluja (kuten Skype) helpommin ja tulevaisuudessa myös itse muodostamaan kommunikointiverkkoja P2PSIP:n avulla. Tutkimukset osoittavat, että näistä uhista huolimatta myös operaattorit pystyvät näkemään P2PSIP:n mahdollisuutena mukautumisessa nopeasti muuttuvan teleliikennemaailman haasteisiin. Nämä mahdollisuudet sisältävät operaattorin oman verkon optimoinnin lisäksi vaihtoehtoisten ja monipuolisempien palveluiden tarjoamisen asiakkailleen edullisesti. Täytyy kuitenkin muistaa, että näiden mahdollisuuksien toteuttamisten vaikutusten ei tulisi olla ristiriidassa operaattorin muiden palveluiden kanssa. Lisäksi tulisi muistaa, että tällä hetkellä keskeneräisen P2PSIP-standardin lopullinen luonne ja ominaisuudet voivat muuttaa sen vaikutuksia.The purpose of this thesis is to present the Peer-to-Peer Session Initiation Protocol (P2PSIP) being developed. In addition, the purpose of this thesis is to evaluate the impacts and prospects of P2PSIP to mobile operators, to whom it can be regarded as a threat. In P2PSIP, users can independently and easily establish voice and other multimedia connections using peer-to-peer (P2P) networking. However, P2PSIP is not meant to replace the existing telephony networks of the operators. We start by introducing the principles of SIP and P2P networking that the P2PSIP is intended to use. SIP enables to establish, terminate and modify multimedia sessions, but its versatile exploitation requires using centralized servers. By using P2P networking, users can decentralize the functions of centralized servers by performing them among themselves. This enables to maintain large and robust networks without maintenance costs resulted of running such centralized servers. Telecommunications market is transforming to a more open environment, where mobile operators and other service providers are challenged to adapt to the upcoming changes. Subscribers have easier access to rivalling Internet-services (such as Skype) and in future they can form their own communication communities by using P2PSIP. The results show that despite of these threats, telecom operators can find potential from P2PSIP in concurrence in adaptation to the challenges of the rapidly changing telecom environment. These potential roles include optimization of the network of the operator, but as well roles to provide alternative and more versatile services to their subscribers at low cost. However, the usage of P2PSIP should not conflict with the other services of the operator. Also, as P2PSIP is still under development, its final nature and features may change its impacts and prospects

Approaches for Future Internet architecture design and Quality of Experience (QoE) Control

Researching a Future Internet capable of overcoming the current Internet limitations is a strategic investment. In this respect, this paper presents some concepts that can contribute to provide some guidelines to overcome the above-mentioned limitations. In the authors' vision, a key Future Internet target is to allow applications to transparently, efficiently and flexibly exploit the available network resources with the aim to match the users' expectations. Such expectations could be expressed in terms of a properly defined Quality of Experience (QoE). In this respect, this paper provides some approaches for coping with the QoE provision problem

Security for Decentralised Service Location - Exemplified with Real-Time Communication Session Establishment

Decentralised Service Location, i.e. finding an application communication endpoint based on a Distributed Hash Table (DHT), is a fairly new concept. The precise security implications of this approach have not been studied in detail. More importantly, a detailed analysis regarding the applicability of existing security solutions to this concept has not been conducted. In many cases existing client-server approaches to security may not be feasible. In addition, to understand the necessity for such an analysis, it is key to acknowledge that Decentralised Service Location has some unique security requirements compared to other P2P applications such as filesharing or live streaming. This thesis concerns the security challenges for Decentralised Service Location. The goals of our work are on the one hand to precisely understand the security requirements and research challenges for Decentralised Service Location, and on the other hand to develop and evaluate corresponding security mechanisms. The thesis is organised as follows. First, fundamentals are explained and the scope of the thesis is defined. Decentralised Service Location is defined and P2PSIP is explained technically as a prototypical example. Then, a security analysis for P2PSIP is presented. Based on this security analysis, security requirements for Decentralised Service Location and the corresponding research challenges -- i.e. security concerns not suitably mitigated by existing solutions -- are derived. Second, several decentralised solutions are presented and evaluated to tackle the security challenges for Decentralised Service Location. We present decentralised algorithms to enable availability of the DHTs lookup service in the presence of adversary nodes. These algorithms are evaluated via simulation and compared to analytical bounds. Further, a cryptographic approach based on self-certifying identities is illustrated and discussed. This approach enables decentralised integrity protection of location-bindings. Finally, a decentralised approach to assess unknown identities is introduced. The approach is based on a Web-of-Trust model. It is evaluated via prototypical implementation. Finally, the thesis closes with a summary of the main contributions and a discussion of open issues

Actas da 10ª Conferência sobre Redes de Computadores

Universidade do MinhoCCTCCentro AlgoritmiCisco SystemsIEEE Portugal Sectio