Utilisation d'identifiants cryptographiques pour la sécurisation IPv6

IPv6, protocole succédant à IPv4, est en cours de déploiement dans l Internet. Il repose fortement sur le mécanisme Neighbor Discovery Protocol (NDP). Celui-ci permet non seulement à deux nœuds IPv6 de pouvoir communiquer, à l instar du mécanisme Address Resolution Protocol (ARP) en IPv4, mais il apporte aussi de nouvelles fonctionnalités, telles que l autoconfiguration d adresse IPv6. Aussi, sa sécurisation pour le bon fonctionnement de l Internet en IPv6 est critique. Son mécanisme de sécurité standardisée à l Internet Engineering Task Force (IETF) se nomme Secure Neighbor Discovery (SEND). Il s appuie à la fois sur l utilisation d identifiants cryptographiques, adresses IPv6 appelées Cryptographically Generated Addresses (CGA) et qui sont générées à partir d une paire de clés publique/privée, et de certificats électroniques X.509. L objet de cette thèse est l étude de ces identifiants cryptographiques, les adresses CGA, ainsi que le mécanisme SEND les employant, et leurs réutilisations potentielles pour la sécurisation IPv6. Dans une première partie de cette thèse, tout d abord, nous posons l état de l art. Dans une deuxième partie de cette thèse, nous nous intéressons à la fiabilité du principal mécanisme connu employant les adresses CGA, le mécanisme SEND. Dans une troisième et dernière partie de cette thèse, nous présentons des utilisations des identifiants cryptographiques pour la sécurisation IPv6IPv6, next Internet protocol after IPv4, is under deployment in the Internet. It is strongly based on the Neighbor Discovery Protocol (NDP) mechanism. First, it allows two IPv6 nodes to communicate, like the Address Resolution Protocol (ARP) mechanism in IPv4, but it brings new functions too, as IPv6 address autoconfiguration. So, the security of this mechanism is critical for an Internet based on IPv6. The security mechanism standardized by the Internet Engineering Task Force (IETF) is Secure Neighbor Discovery (SEND). It is based on the use of cryptographical identifiers, IPv6 addresses named Cryptographically Generated Addresses (CGA) and generated from a public/private keys pair, and X.509 certificates. The goal of this PhD thesis is the study of such cryptographical identifiers, CGA addresses, as well as SEND using them, and their potential re-use to secure IPv6. In a first part of this thesis, we recall the main features of the IPv6 protocol. In a second part of this thesis, we are interested in the reliability of the main known mechanism using the CGA addresses, SEND. In a third and last part of this thesis, we present different uses of cryptographical identifiers to secure IPv6EVRY-INT (912282302) / SudocSudocFranceF

Analysis of security impact of making mShield an IPv4 to IPv6 converter box

info:eu-repo/semantics/acceptedVersio

A security architecture for IPv6 enabled wireless medical sensor networks.

We present the design of an IPv6 enabled wireless sensor network based on the IEEE 802.15.4 standard for medical monitoring. We design a routing mechanism for efficient flooding, a hop-by-hop error recovery and congestion control mechanism for reliable packet delivery and a lightweight security architecture for the medical monitoring system. We extend the widely used Extensible Authentication Protocol (EAP) to employ the Generalized Pre-shared Key (GPSK) authentication method with some optimizations for securing the system. We use the 3-party EAP model with the Personal Area Network Coordinator (PAN coordinator) of IEEE 802.15.4 standard as the EAP authenticator for authenticating sensor nodes within the radio range of the PAN coordinator. In order to use EAP authentication for a sensor node several hops away from the PAN coordinator, we define a new role (relay authenticator) for its coordinator which tunnels EAP messages to the PAN coordinator securely. We define EAP message encapsulation for IEEE 802.15.4 networks and a key hierarchy for the security architecture. We have simulated the system and shown that EAP based authentication is feasible in wireless sensor networks.The original print copy of this thesis may be available here: http://wizard.unbc.ca/record=b136235

Mecanismos de facturação segura em redes auto-organizadas

Mestrado em Engenharia Electrónica e TelecomunicaçõesAs redes ad-hoc e as redes auto-organizadas constituem uma área de investigação com grande interesse. Estas redes são uteis em cenários onde seja necessária uma rede de baixo custo, elevada adaptabilidade e reduzido tempo de criação. As redes infra-estruturadas, tendo uma gestão centralizada, estão agora a começar a adoptar os conceitos de redes autoorganizadas nas suas arquitecturas. Ao contrário dos sistemas centralizados, redes auto-organizadas requerem que todos os terminais participantes operem de acordo com o melhor interesse da rede. O facto de, em redes ad-hoc, os equipamentos possuírem recursos limitados, pôe em causa este requisito levando a comportamentos egoístas. Este comportamento é espectavel criando problemas nas redes auto-organizativas, ameaçando o funcionamento de uma rede inteira. Algumas propostas foram ja criadas de modo a motivar a sua utilização correcta. Destas, algumas são baseadas em trocas de credito entre utilizadores, outras preveêm a existência de entidades gestoras de creditos. Estas ultimas propostas, que irão ser o foco desta dissertação, permitem a facil integração de redes ad-hoc com redes infra-estruturadas e geridas por um operador. Este trabalho descreve o estado da arte actual e, com algum detalhe, os métodos utilizados e as solucões relevantes para esta area. São propostas duas novas soluções de taxação para estas redes. Ambas as soluções possibilitam a integração das redes com metodos de taxação habituais em redes geridas por operadores. Para além disto, a motivação à participaçãao é aumentada através de incentivos ao encaminhamento de pacotes. Todos os processos são criptograficamente seguros através da utilização de métodos standard como DSA sobre Curvas Elípticas e funções de síntese robustas. As soluções propostas são descritas analiticamente e analisadas, sendo os os resultados obtidos comparados com outra proposta do estado da arte. Um exaustivo trabalho de simulação é igualmente descrito de forma a avaliar as soluções em cenários mais complexos. Os resultados obtidos em simulação são avaliados tendo em conta a variação de várias métricas como mobilidade, carga na rede, protocolo de encaminhamento e protocolo de transporte. No final, a arquitectura, implementação e resultados obtidos com uma implementação real de uma das propostas e os seus resultados analisados.Self-organised and ad-hoc networks are an area with an existing large research community. These networks are much useful in scenarios requiring a rapidly deployed, low cost and highly adaptable network. Recently, infrastructure networks, which are managed in a much centralised form, are starting to introduce concepts of self-organised networks in its architecture. In opposition to centralised systems, self-organisation creates the necessity for all nodes to behave according to the best interest of the network. The fact that in many ad-hoc networks nodes have scarce resources poses some threats to this requirement. As resources decreases, such as battery or wireless bandwidth, nodes can start acting selfishly. This behaviour is known to bring damage to self-organised networks and threatens the entire network. Several proposals were made in order to promote the correct usage of the network. Some proposals are based on local information and direct credit exchange while others envision the existence of a central bank. The later solutions are further elaborated in this thesis, as they make possible integration of ad-hoc network with operator driven infrastructures. This work presents the current state-of-the-art on the area providing a detailed insight on the methods adopted by each solution presented. Two novel solutions are proposed providing charging support for integrated ad-hoc networks. Both solutions provide means of integration with standard management methods found in operator networks. Also, node´s motivation is increased through the reward of nodes forwarding data packets. The entire process is cryptographically secure, making use of standard methods such as Elliptic Curve DSA and strong digest functions. The solutions proposed are described and analysed analytically, comparing the results with other state-of-the-art proposals. Extensive simulation work is also presented which furthers evaluates the solutions in complex scenarios. Results are obtained from these scenarios and several metrics are evaluated taking in consideration mobility, network load, routing protocol and transport protocol. The architecture and results obtained with a real implementation are finally presented and analysed

NAT64/DNS64 in the Networks with DNSSEC

Zvyšuj?c? se pod?l resolverů a aplikac? použ?vaj?c? DNS-over-HTTPSvede k vyš?mu pod?lu klientů použ?vaj?c?ch DNS resolvery třet?chstran. Kvůli tomu ovšem selhává nejpouž?vanějš? NAT64 detekčn?metoda RFC7050[1], což vede u klientů použ?vaj?c?ch přechodovémechanismy NAT64/DNS64 nebo 464XLAT k neschopnosti tytopřechodové mechanismy správně detekovat, a t?m k nedostupnostiobsahu dostupného pouze po IPv4. C?lem této práce je navrhnoutnovou detekčn? metodu postavenou na DNS, která bude pracovati s resolvery třet?ch stran, a bude schopná využ?t zabezpečen? DNSdat pomoc? technologie DNSSEC. Práce popisuje aktuálně standardizovanémetody, protokoly na kterých závis?, jejich omezen?a interakce s ostatn?mi metodami. Navrhovaná metoda použ?vá SRVzáznamy k přenosu informace o použitém NAT64 prefixu v globáln?mDNS stromu. Protože navržená metoda použ?vá již standardizovanéprotokoly a typy záznamů, je snadno nasaditelná bez nutnostimodifikovat jak DNS server, tak s?t'ovou infrastrukturu. Protožemetoda použ?vá k distribuci informace o použitém prefixu globáln?DNS strom, umožňuje to metodě použ?t k zabezpečen? technologiiDNSSEC. To této metodě dává lepš? bezpečnostn? vlastnosti nežjaké vykazuj? předchoz? metody. Tato práce vytvář? standardizačn?bázi pro standardizaci v rámci IETF.The rising number of DNS-over-HTTPS capable resolvers and applicationsresults in the higher use of third-party DNS resolvers byclients. Because of that, the currently most deployed method of theNAT64 prefix detection, the RFC7050[1], fails to detect the NAT64prefix. As a result, clients using either NAT64/DNS64 or 464XLATtransition mechanisms fail to detect the NAT64 prefix properly,making the IPv4-only resources inaccessible. The aim of this thesisis to develop a new DNS-based detection method that would workwith foreign DNS and utilize added security by the DNS securityextension, the DNSSEC. The thesis describes current methods ofthe NAT64 prefix detection, their underlying protocols, and theirlimitations in their coexistence with other network protocols. Thedeveloped method uses the SRV record type to transmit the NAT64prefix in the global DNS tree. Because the proposed method usesalready existing protocols and record types, the method is easilydeployable without any modification of the server or the transportinfrastructure. Due to the global DNS tree usage, the developedmethod can utilize the security provided by the DNSSEC and thereforeshows better security characteristics than previous methods.This thesis forms the basis for standardization effort in the IETF.

Securing military decision making in a network-centric environment

The development of the society and warfare goes hand in hand. With the proliferation of modern information technology, in particular communication technology, concepts such as information warfare and network-centric warfare have emerged. Information has become one of the core elements in military decision making, where the purpose is to gain information superiority with respect to the enemy while denying the enemy from doing the same. Network-centricity comes from the fact that communication networks are used to enable information warfare in the theatre of operations. Thus, the role of the communication network is to support decision making. In this thesis, military decision making in a network-centric environment is analyzed from the perspective of information warfare. Based on the analysis, a set of security requirements are identified. The thesis also proposes a set of solutions and concepts to the vulnerabilities found and analyzes the solutions with respect to the requirements and a set of use scenarios. The main solutions are Packet Level Authentication, which secures the military infrastructure, and Self-healing Networks, which enable the network to restructure itself after a large-scale or dedicated attack. The restructuring process relies on a Context Aware Management architecture, which has originally been developed to allow network nodes to rapidly react to a changing environment. Furthermore, the thesis presents a trust management model based on incomplete trust to cope with compromised nodes. Also privacy issues are discussed; several different privacy classes are identified and the problems with each of them are addressed.reviewe

An Analysis of Selected IPv6 Network Attacks

Tato diplomová práce se zabývá analýzou a demonstrací vybraných IPv6 útoků, konkrétně dvou Man-in-the-Middle útoků a jednoho Denial of Service útoku - Rogue Router Advertisement a Neighbor Cache Poisoning resp. Duplicate Address Detection DoS. V její první části autor prezentuje informace související s danou problematikou a nutné na pochopení problému. Dále autor poskytuje detailní popis realizace daných útoků v praxi za pomoci veřejně dostupných nástrojů. Druhá část práce nastíňuje možnosti prevence proti prezentovaným útokům, analyzuje implementace některých způsobů obrany na Cisco a H3C zařízeních a diskutuje jejích použitelnost.This master's thesis analyses and demonstrates selected IPv6 attacks including two Man-in-the-Middle attacks and one Denial of Service attack - Rogue Router Advertisement, Neighbor Cache Poisoning and Duplicate Address Detection DoS, respectively. In the first part the author presents necessary information related to the issue and provides detailed information on how to realize these attacks in practice using publicly available tools. The second part of the thesis presents various ways of mitigating presented attacks, analyses implementations of some of those countermeasures on Cisco and H3C devices and discussess their applicability.