Standards-based End-to-End IP Security for the Internet of Things

Abstract-Peer authentication and secure data transmission are vital aspects for many scenarios in the IP-based Internet of Things (IoT). To enable end-to-end security, recent research and standardization efforts focus on a number of IP security protocol variants for the IoT, most notably Datagram TLS (DTLS), the HIP Diet EXchange (DEX), and minimal IKEv2. In this dissertation outline, we present the main motivation for employing these protocol variants in constrained network environments and discuss the need to surpass the status quo. Most importantly, we highlight our identified challenges when employing these protocol variants in constrained network environments and provide a high-level overview of our previously proposed approaches to counteract the identified design-level protocol issues

Internet Engineering Task Force (IETF)

Abstract This document considers a VPN end user establishing an IPsec Security Association (SA) with a Security Gateway using the Internet Key Exchange Protocol version 2 (IKEv2), where at least one of the peers has multiple interfaces or where Security Gateway is a cluster with each node having its own IP address

Protocols, performance assessment and consolidation on interfaces for standardization – D3.3

The following document presents a detailed description of the protocol for the “ Control Channels for the Cooperation of the Cognitive Management System ” (C4MS) which provides the necessary means to enable proper management of Opportunistic Networks. Additionally, the document defines the methodology that was applied for the purpose of signalling evaluation. The protocol overview presented in section 2 of the main document, provides the C4MS principles. The section includes, among others, the description of the protocol identifiers, procedures, protocol state machines and message format as well as the security asp ects. Section 3 provides a high-level description of the data structures defined within the scope of OneFIT project. The data structures are classified into five categories, i.e.: Profiles, Context, Decisions,Knowledge and Policies. The high level description is complemented by some detailed data structures in the Appendix to D3.3 Section 3[10]. Section 4 provides details on the evaluation methodology applied for the purpose of C4MS performance assessment. The section presents the evaluation plan along with a description of metrics that are to be exploited in the scope of WP3. Section 5 and Section 6 are composed of the signalling evaluation results. Section 5 focuses on the estimation of the signalling load imposed by ON management in different ON phases. Additionally some results for the initialization phase (not explicitly mentioned in the previous phases of the project)and security related aspects are also depicted. Section 6 on the other hand is focused on the evaluation of the signalling traffic generated by different ON related algorithms. Conclusions to the document are drawn in section 7. Detailed description of the C4MS procedures, implementation options based on IEEE 802.21, DIAMTER and 3GPP are depicted in the appendix to the D3.3[10] . Additionally, the appendix incorporates the detailed definition of the information data structures and final set of Message Sequence Charts (MSCs) provided for the OneFIT project.Peer ReviewedPreprin

A Review on Internet of Things (IoT): Security and Privacy Requirements and the Solution Approaches

The world is undergoing a dramatic rapid transformation from isolated systems to ubiquitous Internet-based-enabled 2018;things2019; capable of interacting each other and generating data that can be analyzed to extract valuable information. This highly interconnected global network structure known as Internet of Things will enrich everyone2019;s life, increase business productivity, improve government efficiency, and the list just goes on. However, this new reality (IoT) built on the basis of Internet, contains new kind of challenges from a security and privacy perspective. Traditional security primitives cannot be directly applied to IoT technologies due to the different standards and communication stacks involved. Along with scalability and heterogeneity issues, major part of IoT infrastructure consists of resource constrained devices such as RFIDs and wireless sensor nodes. Therefore, a flexible infrastructure is required capable to deal with security and privacy issues in such a dynamic environment. This paper presents an overview of IoT, security and privacy challenges and the existing security solutions and identifying some open issues for future research

A survey of the interaction between security protocols and transport services

This document provides a survey of commonly used or notable network security protocols, with a focus on how they interact and integrate with applications and transport protocols. Its goal is to supplement efforts to define and catalog Transport Services by describing the interfaces required to add security protocols. This survey is not limited to protocols developed within the scope or context of the IETF, and those included represent a superset of features a Transport Services system may need to support

Nation-State Attackers and their Effects on Computer Security

Nation-state intelligence agencies have long attempted to operate in secret, but recent revelations have drawn the attention of security researchers as well as the general public to their operations. The scale, aggressiveness, and untargeted nature of many of these now public operations were not only alarming, but also baffling as many were thought impossible or at best infeasible at scale. The security community has since made many efforts to protect end-users by identifying, analyzing, and mitigating these now known operations. While much-needed, the security community's response has largely been reactionary to the oracled existence of vulnerabilities and the disclosure of specific operations. Nation-State Attackers, however, are dynamic, forward-thinking, and surprisingly agile adversaries who do not rest on their laurels and are continually advancing their efforts to obtain information. Without the ability to conceptualize their actions, understand their perspective, or account for their presence, the security community's advances will become antiquated and unable to defend against the progress of Nation-State Attackers. In this work, we present and discuss a model of Nation-State Attackers that can be used to represent their attributes, behavior patterns, and world view. We use this representation of Nation-State Attackers to show that real-world threat models do not account for such highly privileged attackers, to identify and support technical explanations of known but ambiguous operations, and to identify and analyze vulnerabilities in current systems that are favorable to Nation-State Attackers.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/143907/1/aaspring_1.pd

The main stages of development of the cryptographic protocols SSL/TLS and IPsec

Рассматриваются основные этапы развития криптографических протоколов от SSL 2.0 (Secure Socket Layer) до TLS 1.3 (Transport Layer Security), обеспечивающих защиту данных транспортного уровня модели OSI. Приводится краткое описание модификации протокола RuTLS, построенного на базе TLS 1.3, и их основные отличия. Развитие IPsec, предоставляющего криптографическую защиту коммуникаций на сетевом уровне модели OSI, рассмотрено на примерах развития трёх наиболее часто применяемых протоколов, на основе которых он строится. В их число входят IKE (Internet Key Exchange), AH (Authentication Header), ESP (Encapsulation Security Payload)

Semos a middleware for providing secure and mobility aware sessions over a p2p overlay network

International audience; Mobility and security are major features for both current and future network infrastructures. Nevertheless, the integration of mobility in traditional virtual private networks is difficult due to the costs of re-establishing broken secure tunnels and restarting broken connections. Besides session recovery costs, renegotiation steps also present inherent vulnerabilities. In order to address these issues, we propose a new distributed mobile VPN system called SEcured MObile Session (SEMOS). Based upon our CLOAK peer-to-peer overlay architecture, SEMOS provides security services to the application layer connections of mobile users. Secure and resilient sessions allow user connections to survive network failures as opposed to regular transport layer secured connections used by traditional VPN protocols. Document type: Part of book or chapter of boo

Practical Quantum-Safe Stateful Hybrid Key Exchange Protocol

Shor\u27s quantum algorithm, running in quantum computers, can efficiently solve integer factorization problem and discrete logarithm problem in polynomial time. This poses an urgent and serious threat to long-term security with recent accelerated evolution of quantum computing. However, National Institute of Standards and Technology (NIST) plans to release its standard of post-quantum cryptography between 2022 and 2024. It is crucially important to propose an early solution, which is likely secure against quantum attacks and classical attacks, and likely to comply with the future NIST standard. A robust combiner combines a set of 2 or more cryptography primitives into a new primitive of the same type, and guarantees that if anyone of the ingredient primitive is secure, then the resulting primitive is secure. This work proposes the first construction of robust combiner for Key Encapsulation Mechanism (KEM), with optimal amortized performance. From our robust combiner of KEMs, we construct efficient stateful hybrid Key Exchange Protocol (KEP), which is more suitable for two parties who will communicate with each other frequently