119 research outputs found
Efficient, DoS-Resistant, Secure Key Exchange for Internet Protocols
We describe JFK, a new key exchange protocol, primarily designed for use in the IP Security Architecture. It is simple, efficient, and secure; we sketch a proof of the latter property. JFK also has a number of novel engineering parameters that permit a variety of trade-offs, most notably the ability to balance the need for perfect forward secrecy against susceptibility to denial-of-service attacks
Guidelines for Specifying the Use of IPsec Version 2
The Security Considerations sections of many Internet Drafts say, in effect, "just use IPsec". While this is sometimes correct, more often it will leave users without real, interoperable security mechanisms. This memo offers some guidance on when IPsec Version 2 should and should not be specified
Dovetail: Stronger Anonymity in Next-Generation Internet Routing
Current low-latency anonymity systems use complex overlay networks to conceal
a user's IP address, introducing significant latency and network efficiency
penalties compared to normal Internet usage. Rather than obfuscating network
identity through higher level protocols, we propose a more direct solution: a
routing protocol that allows communication without exposing network identity,
providing a strong foundation for Internet privacy, while allowing identity to
be defined in those higher level protocols where it adds value.
Given current research initiatives advocating "clean slate" Internet designs,
an opportunity exists to design an internetwork layer routing protocol that
decouples identity from network location and thereby simplifies the anonymity
problem. Recently, Hsiao et al. proposed such a protocol (LAP), but it does not
protect the user against a local eavesdropper or an untrusted ISP, which will
not be acceptable for many users. Thus, we propose Dovetail, a next-generation
Internet routing protocol that provides anonymity against an active attacker
located at any single point within the network, including the user's ISP. A
major design challenge is to provide this protection without including an
application-layer proxy in data transmission. We address this challenge in path
construction by using a matchmaker node (an end host) to overlap two path
segments at a dovetail node (a router). The dovetail then trims away part of
the path so that data transmission bypasses the matchmaker. Additional design
features include the choice of many different paths through the network and the
joining of path segments without requiring a trusted third party. We develop a
systematic mechanism to measure the topological anonymity of our designs, and
we demonstrate the privacy and efficiency of our proposal by simulation, using
a model of the complete Internet at the AS-level
Efficient security management for active networks.
Due to the dynamic nature and dynamic routing capability of active packets, security in active networks should be hop-by-hop based. This thesis discusses the identified drawbacks of existing approaches. These drawbacks are: the high performance overhead generated by per-hop Security Association (SA) negotiation prior to secured active packet transmission the high complexity in SA negotiation handshake process active packet can only be securely transmitted after SA negotiations the shared key set generated for protecting active packets may not have Perfect Forward Secrecy (PFS) lack of confidentiality protection on exchanged symmetric keys and active packets lack of SA negotiation power and scalability issues. This thesis presents a novel hop-by-hop active network security management approach known as Security Protocol for Active Networks (SPAN). SPAN is designed to enable secure active packet transmission during a series of hop-by-hop SPAN SA negotiation along a new execution path, instead of after. The design of SPAN has taken into consideration the factors of security, efficiency, flexibility, scalability, and applicability. SPAN is resistant to replay, man-in-the-middle, impersonate attacks. SPAN is designed to detect DoS attacks much more efficiently. Furthermore, SPAN is uniquely designed to enhance the robustness and efficiency of underlying active networking systems
Internet Authentication for Remote Access
It is expected that future IP devices will employ a variety of
different network access technologies to gain ubiquitous
connectivity. Currently there are no authentication protocols
available that are lightweight, can be carried over arbitrary
access networks, and are flexible enough to be re-used in the
many different contexts that are likely to arise in future
Internet remote access. Furthermore, existing access procedures
need to be enhanced to offer protection against
Denial-of-Service (DoS) attacks, and do not provide
non-repudiation. In addition to being limited to specific
access media, some of these protocols are limited to specific
network topologies and are not scalable.
This thesis reviews the authentication infrastructure
challenges for future Internet remote access supporting
ubiquitous client mobility, and proposes a series of solutions
obtained by adapting and reinforcing security techniques
arising from a variety of different sources. The focus is on
entity authentication protocols that can be carried both by the
IETF PANA authentication carrier and by the EAP mechanisms, and
possibly making use of an AAA infrastructure. The core idea is
to adapt authentication protocols arising from the mobile
telecommunications sphere to Internet remote access. A proposal
is also given for Internet access using a public key based
authentication protocol. The subsequent security analysis of
the proposed authentication protocols covers a variety of
aspects, including: key freshness, DoS-resistance, and
"false-entity-in-the-middle" attacks, in addition to identity
privacy of users accessing the Internet via mobile devices.
This work aims primarily at contributing to ongoing research on
the authentication infrastructure for the Internet remote
access environment, and at reviewing and adapting
authentication solutions implemented in other spheres, for
instance in mobile telecommunications systems, for use in
Internet remote access networks supporting ubiquitous mobilit
Recommended from our members
A Comprehensive Survey of Voice over IP Security Research
We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems
Design and Validation of a Secured Tunnel in the Automatic Multicast Tunneling (AMT) Environment
IP multicasting is a communication mechanism in which data are communicated from a server to a set of clients who are interested in receiving those data. Any client can dynamically enter or leave the communication. The main problem of this system is that every client that is interested in receiving the multicast data has to be in a multicast enabled network. The Network Working Group at the Internet Engineering Task Force (IETF) has come up with a solution to this problem. They have developed a protocol named Automatic Multicast Tunneling (AMT). This protocol offers a mechanism to enable the unicast-only clients to join and receive multicast data from a multicast enabled region through an AMT tunnel, which is formed between the two intermediate participants named Gateway and Relay. However, AMT does not provide any Participant Access Control (PAC).
Malla has designed an architecture for adding PAC at the receiver’s end in the AMT environment. His work is based on the assumption that the AMT tunnel is secure and the tunnel can recognize and pass the additional message types that his design requires. We have designed the solution to secure the AMT tunnel. We also defined the additional message types. Lastly, we validated our work using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to ensure that our design is secure
Security for the signaling plane of the SIP protocol
VOIP protocols are gaining greater acceptance amongst both users and service providers. This thesis will aim to examine aspects related to the security of signaling plane of the SIP protocol, one of the most widely used VOIP protocols. Firstly, I will analyze the critical issues related to SIP, then move on to discuss both current and possible future solutions, and finally an assessment of the impact on the performance of HTTP digest authentication, IPsec and TLS, the three main methods use
- …