Securing Internet of Things with Lightweight IPsec

Real-world deployments of wireless sensor networks (WSNs) require secure communication. It is important that a receiver is able to verify that sensor data was generated by trusted nodes. In some cases it may also be necessary to encrypt sensor data in transit. Recently, WSNs and traditional IP networks are more tightly integrated using IPv6 and 6LoWPAN. Available IPv6 protocol stacks can use IPsec to secure data exchange. Thus, it is desirable to extend 6LoWPAN such that IPsec communication with IPv6 nodes is possible. It is beneficial to use IPsec because the existing end-points on the Internet do not need to be modified to communicate securely with the WSN. Moreover, using IPsec, true end-to-end security is implemented and the need for a trustworthy gateway is removed. In this paper we provide End-to-End (E2E) secure communication between an IP enabled sensor nodes and a device on traditional Internet. This is the first compressed lightweight design, implementation, and evaluation of 6LoWPAN extension for IPsec on Contiki. Our extension supports both IPsec's Authentication Header (AH) and Encapsulation Security Payload (ESP). Thus, communication endpoints are able to authenticate, encrypt and check the integrity of messages using standardized and established IPv6 mechanisms

Enabling Intrusion Detection in IPSEC Protected IPV6 Networks through Secret-Key Sharing

As the Internet Protocol version 6 (IPv6) implementation becomes more widespread, the IP Security (IPSec) features embedded into the next-generation protocol will become more accessible than ever. Though the network-layer encryption provided by IPSec is a boon to data security, its use renders standard network intrusion detection systems (NIDS) useless. The problem of performing intrusion detection on encrypted traffic has been addressed by differing means with each technique requiring one or more static secret keys to be shared with the NIDS beforehand. The problem with this approach is static keying is much less secure than dynamic key generation through the Internet Key Exchange (IKE) protocol. This research creates and evaluates a secret-key sharing framework which allows both the added security of dynamic IPSec key generation through IKE, and intrusion detection capability for a NIDS on the network. Analysis shows that network traffic related to secret-key sharing with the proposed framework can account for up to 58.6% of total traffic in the worst case scenario, though workloads which are arguably more average decrease that traffic to 10-15%. Additionally, actions associated with IKE and secret-key sharing increase CPU utilization on the NIDS up to 20.7%. Results show, at least in limited implementations, a secret-key sharing framework provides robust coverage and is a viable intrusion detection option

A framework for IPSec functional architecture.

In today\u27s network, various stand-alone security services and/or proxies are used to provide different security services. These individual security systems implementing one single security function cannot address security needs of evolving networks that require secure protocol such as IPSec. In this paper, we provide a framework for implementing IPSec security functions in a well structured functional architecture. The proposed architecture is modular and allows for composing software applications from products commercially available and developed by different suppliers to implement the entire security requirements of IPSec protocol. In addition the proposed architecture is robust in the sense that it supports open standards and interfaces, and implements security functions of IPSec as an integrated solution under a unified security management system.Dept. of Electrical and Computer Engineering. Paper copy at Leddy Library: Theses & Major Papers - Basement, West Bldg. / Call Number: Thesis2005 .F34. Source: Masters Abstracts International, Volume: 44-03, page: 1451. Thesis (M.Sc.)--University of Windsor (Canada), 2005

MULTICAST VIRTUAL PRIVATE NETWORK PER-FLOW MONITORING FOR AN AGGREGATED TUNNEL IN A MULTIPROTOCOL LABEL SWITCHING CORE

Typically, when a service provider carries customer multicast traffic over a core network, it is often carried over a tunnel, which are often aggregated. There are many reasons for aggregated tunnel use, such as issues of scale and/or hardware limitations. While aggregated tunnels can be useful for carrying multicast traffic, it can be difficult to monitor network health when tunnels are aggregated. Techniques of this proposal provide for the ability to monitor network health by supporting per-flow counters for aggregated tunnels for both Internet Protocol (IP) version 4 and version 6 (IPv4/IPv6) traffic in a manner that is scalable and can be provided on-demand

Performance Evaluation of end-to-end security protocols in an Internet of Things

Wireless Sensor Networks are destined to play a fundamental role in the next-generation Internet, which will be characterized by the Machine-to-Machine paradigm, according to which, embedded devices will actively exchange information, thus enabling the development of innovative applications. It will contribute to assert the concept of Internet of Things, where end-to-end security represents a key issue. In such context, it is very important to understand which protocols are able to provide the right level of security without burdening the limited resources of constrained networks. This paper presents a performance comparison between two of the most widely used security protocols: IPSec and DTLS. We provide the analysis of their impact on the resources of embedded devices. For this purpose, we have modified existing implementations of both protocols to make them properly run on our hardware platforms, and we have performed an extensive experimental evaluation study. The achieved results are not a consequence of a classical simulation campaign, but they have been obtained in a real scenario that uses software and hardware typical of the current technological developments. Therefore, they can help network designers to identify the most appropriate secure mechanism for end-to-end IP communications involving constrained devices

Securing home and correspondent registrations in mobile IPv6 networks

The Mobile IPv6 (MIPv6) protocol enables mobile nodes (MNs) to remain connected to other correspondent nodes (CNs) while roaming the IPv6 Internet. Home and correspondent registrations are essential parts of the MIPv6 protocol, whereby MNs register their care-of addresses (CoAs) with their home agents (HAs) and with their CNs, respectively. Security provision for home and correspondent registrations is a fundamental part of the MIPv6 protocol and has been an open research issue since the early stages of the protocol.This thesis examines state-of-the-art protocols for securing home and correspondent registrations in MIPv6 networks. The strengths and weaknesses of these protocols are discussed. The investigation of these protocols leads to the proposal of an enhanced home registration protocol and a family of correspondent registration protocols. The Enhanced Home Registration (EHR) protocol extends the basic home registration protocol defined in MIPv6 to support the location authentication of MNs to their HAs. The EHR is based on novel ideas of segmenting the IPv6 address space, using a symmetric CGA-based technique for generating CoAs, and applying concurrent CoAs reachability tests. As a result, EHR is able to reduce the likelihood of a malicious MN being successful in luring an HA to flood a third party with useless packets using MIPv6. In addition, EHR enables HAs to help in correspondent registrations by confirming MNs' CoAs to CNs. Simulation studies of EHR have shown that it only introduces a marginal increase in the registration delay, but a significant increase in the signalling overhead as a cost of supporting the location authentication of MNs.The thesis also proposes a family of correspondent registration protocols. These protocols rely on the assistance of home networks to confirm the MNs' ownership of the claimed HoAs and CoAs. The protocols consist of three phases: a creation phase, an update phase and a deletion phase. Informal and formal protocol analyses have confirmed the protocols' correctness and satisfaction of the required security properties. The protocols have been simulated extensively and the results show that they produce lower registration delay and a reduction in the signalling overhead during update and deletion phases. This is at the cost of a varying increase, depending on the protocol variant, in the registration delay and signalling overhead during the creation phase.EThOS - Electronic Theses Online ServiceEgyptian GovernmentGBUnited Kingdo

An Overview of Cryptography (Updated Version, 3 March 2016)

There are many aspects to security and many applications, ranging from secure commerce and payments to private communications and protecting passwords. One essential aspect for secure communications is that of cryptography...While cryptography is necessary for secure communications, it is not by itself sufficient. This paper describes the first of many steps necessary for better security in any number of situations. A much shorter, edited version of this paper appears in the 1999 edition of Handbook on Local Area Networks published by Auerbach in September 1998