Experimental Tests on SCTP over IPSec

As telecommunication technologies evolve, security in communications becomes a more and more relevant issue. IPSec is a set of protocols aiming to enhance security at the IP layer. Specifically, IPSec and IKE are important security mechanism that provide cryptographic-based protection for IP packets, and consequently for IP services. SCTP is a standardized transport protocol whose main features include multihoming and multistreaming, and is gaining momentum as a general-purpose transport protocol. While the simultaneous use of these two protocols is feasible, it is under study how to make them work efficiently. In this paper, we present a simple method to improve SCTP-IPSec-IKE compatibility by modifying the structure of the Security Associations. Despite the conceptual simplicity of our proposal, it has not been proposed before in related literature.This research has been supported by project grant TEC2007-67966-01/TCM (CON-PARTE-1) and it is also developed in the framework of "Programa de Ayudas a Grupos de Excelencia de la Región de Murcia, de la Fundación Séneca, Agencia de Ciencia y Tecnología de la RM (Plan Regional de Ciencia y Tecnología 2007/2010)

Design and Development of Application to Transport Layer Protocol for Smart Collaboration of Intelligent Devices

There are varieties of smart devices – devices with hardware and significant amount of software to mine data from the hardware in and around us, like in Home we have smart phones, smart TV, Laptops, smart refrigerators, etc. There is a need for each device of different size and capability to collaborate. That brings us to first and most important step of “inter- device communication”, which can be deployed on any device without much further fuss. Simple yet secure channel of communication, which does not require much of computing power or memory is real time in nature and is extensible towards future. The challenge is to develop a simple Application Layer protocol, which uses existing TCP/IP technology to interconnect these devices and enable bi-directional communication, which is minimalistic in terms of size of payloads – data available at each of these smart devices- and will use the WWW (world wide web’s) most versatile tool – XML for making encoding data/information in a format that is both human-readable and machine-readable DOI: 10.17762/ijritcc2321-8169.15063

Vulnerabilities of signaling system number 7 (SS7) to cyber attacks and how to mitigate against these vulnerabilities.

As the mobile network subscriber base exponentially increases due to some attractive offerings such as anytime anywhere accessibility, seamless roaming, inexpensive handsets with sophisticated applications, and Internet connectivity, the mobile telecommunications network has now become the primary source of communication for not only business and pleasure, but also for the many life and mission critical services. This mass popularisation of telecommunications services has resulted in a heavily loaded Signaling System number 7 (SS7) signaling network which is used in Second and Third Generations (2G and 3G) mobile networks and is needed for call control and services such as caller identity, roaming, and for sending short message servirces. SS7 signaling has enjoyed remarkable popularity for providing acceptable voice quality with negligible connection delays, pos- sibly due to its circuit-switched heritage. However, the traditional SS7 networks are expensive to lease and to expand, hence to cater for the growing signaling demand and to provide the seamless interconnectivity between the SS7 and IP networks a new suite of protocols known as Signaling Transport (SIGTRAN) has been designed to carry SS7 signaling messages over IP. Due to the intersignaling between the circuit-switched and the packet-switched networks, the mo- bile networks have now left the “walled garden”, which is a privileged, closed and isolated ecosystem under the full control of mobile carriers, using proprietary protocols and has minimal security risks due to restricted user access. Potentially, intersignaling can be exploited from the IP side to disrupt the services provided on the circuit-switched side. This study demonstrates the vulnerabilities of SS7 messages to cyber-attacks while being trans- ported over IP networks and proposes some solutions based on securing both the IP transport and SCTP layers of the SIGTRAN protocol stack

Strategies to Secure End-To-End Communication

The Stream Control Transmission Protocol (SCTP) is a fairly recent generic transport protocol with novel features, like multi-streaming, multi-homing, and an extendable architecture. This, however, prevents existing approaches to secure end-to-end connections from being used without limiting the supported SCTP features. New solutions also exist, but require extensive modifications that are difficult to realize and deploy. Hence, there is no widely deployed solution to secure SCTP-based connections. In this thesis, possible strategies to secure end-to-end SCTP connections are analyzed. For each strategy, a viable solution that does not limit the features of SCTP is presented, with a focus on deployability in terms of standardization as well as implementation. Implementations based on common open source tools are developed and used to conduct functionality and performance measurements, with simulated and real systems, to prove the usefulness of the suggested approaches

A new security extension for SCTP

In 2000, the Signaling Transport (SIGTRAN) working group of the IETF defined the Stream Control Transmission Protocol (SCTP) as a new transport protocol. SCTP is a new multi-purpose reliable transport protocol. Due to its various features and easy extensibility it is a valid option not only for already standardised applications but also in many new application scenarios. SCTP has several advantages over TCP and UDP. The analysis of already standardised as well as potential SCTP application scenarios clearly indicates that secure end-to-end transport is one of the crucial requirements for SCTP in the future. Up to now there exist two standardised SCTP security solutions which are called TLS over SCTP [37] and SCTP over IPSec [12]. The goal of this thesis was to evaluate existing SCTP security solutions and find an optimised and efficient security solution. Several drawbacks of the standardised SCTP security solutions identified during the analysis are mainly related to features distinguishing SCTP from TCP and UDP. To avoid these drawbacks a new security solution for SCTP, called Secure SCTP (S-SCTP), is proposed which integrates the cryptographic functions into SCTP. One main requirement was that S-SCTP should be fully compatible with standard SCTP while additionally providing strong security i.e. data confidentiality, integrity and authentication. This also means that all features, options and extensions available for standard SCTP have to be supported. Furthermore, S-SCTP should have advantages with respect to performance over all parameter ranges of SCTP and be user-friendly. To specify the S-SCTP protocol extension several new control messages and new message parameters have been defined. Furthermore, procedures for initialisation, rekeying, and termination of secure sessions have been specified and modelled in SDL. Based on an SCTP implementation available in our group and an open source implementation of TLS, TLS over SCTP and S-SCTP have been implemented. These implementations as well as an SCTP over IPSec configuration were used to do comparative performance studies in a lab testbed. These experiments show that the S-SCTP concept achieves its design goals. It supports all features and current extensions of SCTP. Furthermore, it avoids the inefficiencies of the other solutions over a wide range of application scenarios and protocol parameter settings

Building a Secure Short Duration Transaction Network

The objective of this project was to design and test a secure IP-based architecture suitable for short duration transactions. This included the development of a prototype test-bed in which various operating scenarios (such as cryptographic options, various IP-based architectures and fault tolerance) were demonstrated. A solution based on SIP secured with TLS was tested on two IP based architectures. Total time, CPU time and heap usage was measured for each architecture and encryption scheme to examine the viability of such a solution. The results showed that the proposed solution stack was able to complete transactions in reasonable time and was able to recover from transaction processor failure. This research has demonstrated a possible architecture and protocol stack suitable for IP-based transaction networks. The benefits of an IP-based transaction network include reduced operating costs for network providers and clients, as shared IP infrastructure is used, instead of maintaining a separate IP and X.25 network

Wireless Bandwidth Aggregation for Internet Traffic

This MQP proposes a new method for bandwidth aggregation, utilize-able by the typical home network owner. The methods explained herein aggregate a network of coordinating routers within local WiFi communication range to achieve increased bandwidth at the application layer, over the HTTP protocol. Our protocol guarantees content delivery and reliability, as well as non-repudiation measures that hold each participant, rather then the group of routers, accountable for the content they download

A service-enabling framework for the session initiation protocol (SIP)

In this dissertation, we propose a framework to provide multimedia communication services. Our proposed framework is based on SIP (Session Initiation Protocol) and has four fundamental properties: it is available, secure, high performing, and oriented to innovations. The framework is not an architecture with a rigid structure. Instead, the framework is a toolkit made up of a set of tools that can be combined in different ways. The combination of these tools provides applications and services with functionality needed to implement a wide variety of multimedia communication services. Applications and services built on top of the framework use different tools within the toolkit in order to provide their desired overall functionality. The functionality provided by the framework includes a number of primitives to be used by applications and services. These primitives mostly relate to multiparty communications and include floor control. The framework also offers support functions that relate to PSTN (Public Switched Telephony Network) interworking, policy control, and consent-based communications. Additionally, the framework contains functions that relate to signalling transport, multihoming, mobility, security, and NAT (Network Address Translation) traversal. The framework also allows building overlay networks when a SIP network infrastructure is not available. In order to test and refine the ideas presented in this dissertation, we have implemented most of them in proof-of-concept prototypes. We have used experiments and simulations to validate our assumptions and obtain new insights