Guidelines for Specifying the Use of IPsec Version 2

The Security Considerations sections of many Internet Drafts say, in effect, "just use IPsec". While this is sometimes correct, more often it will leave users without real, interoperable security mechanisms. This memo offers some guidance on when IPsec Version 2 should and should not be specified

Authentication in Protected Core Networking

Protected Core Networking (PCN) is a concept that aims to increase information sharing between nations in coalition military operations. PCN specifies the interconnection of national transport networks, called Protected Core Segments (PCSs), to a federated transport network called Protected Core (PCore). PCore is intended to deliver high availability differentiated transport services to its user networks, called Colored Clouds (CCs). To achieve this goal, entity authentication of all connecting entities is specified as a protective measure. In resource constrained environments, the distribution of service policy can be challenging. That is, which transport services are associated with a given entity. The thesis proposes two new and original protocols where CCs push service policy to the network by performing authentication based on attributes. Using identity-based signatures, attributes constituting a service policy are used directly for an entity's identity, and no external mechanism linking identity and policy is needed. For interoperability, the idea has been incorporated into PKINIT Kerberos and symmetric key Kerberos by carrying the authorized attributes within tickets. The proposed protocols are formally verified in the symbolic model using scyther-proof. The experiment shows that both CCs, and PCSs achieve greater assurance on agreed attributes, and hence on expected service delivery. A CC and a visiting PCS are able to negotiate, and agree on the expected service depending on the situation. The proposed solution provides benefits to CCs on expected service when connecting to a visiting PCS, with poor connectivity to the home PCS. In that respect, interconnection of entities with little pre-established relationship is simplified, and hence fulfillment of the PCN concept is facilitated

Building mobile L2TP/IPsec tunnels

Wireless networks introduce a whole range of challenges to the traditional TCP/IP network, especially Virtual Private Network (VPN). Changing IP address is a difficult issue for VPNs in wireless networks because IP addresses are used as one of the identifiers of a VPN connection and the change of IP addresses will break the original connection. The current solution to this problem is to run VPN tunnels over Mobile IP (MIP). However, Mobile IP itself has significant problems in performance and security and that solution is inefficient due to double tunneling. This thesis proposes and implements a new and novel solution on simulators and real devices to solve the mobility problem in a VPN. The new solution adds mobility support to existing L2TP/IPsec (Layer 2 Tunneling Protocol/IP Security) tunnels. The new solution tunnels Layer 2 packets between VPN clients and a VPN server without using Mobile IP, without incurring tunnel-re-establishment at handoff, without losing packets during handoff, achieves better security than current mobility solutions for VPN, and supports fast handoff in IPv4 networks. Experimental results on a VMware simulation showed the handoff time for the VPN tunnel to be 0.08 seconds, much better than the current method which requires a new tunnel establishment at a cost of 1.56 seconds. Experimental results with a real network of computers showed the handoff time for the VPN tunnel to be 4.8 seconds. This delay was mainly caused by getting an IP address from DHCP servers via wireless access points (4.6 seconds). The time for VPN negotiation was only 0.2 seconds. The experimental result proves that the proposed mobility solution greatly reduces the VPN negotiation time but getting an IP address from DHCP servers is a large delay which obstructs the real world application. This problem can be solved by introducing fast DHCP or supplying an IP address from a new wireless access point with a strong signal while the current Internet connection is weak. Currently, there is little work on fast DHCP and this may open a range of new research opportunities

Trust and integrity in distributed systems

In the last decades, we have witnessed an exploding growth of the Internet. The massive adoption of distributed systems on the Internet allows users to offload their computing intensive work to remote servers, e.g. cloud. In this context, distributed systems are pervasively used in a number of difference scenarios, such as web-based services that receive and process data, cloud nodes where company data and processes are executed, and softwarised networks that process packets. In these systems, all the computing entities need to trust each other and co-operate in order to work properly. While the communication channels can be well protected by protocols like TLS or IPsec, the problem lies in the expected behaviour of the remote computing platforms, because they are not under the direct control of end users and do not offer any guarantee that they will behave as agreed. For example, the remote party may use non-legitimate services for its own convenience (e.g. illegally storing received data and routed packets), or the remote system may misbehave due to an attack (e.g. changing deployed services). This is especially important because most of these computing entities need to expose interfaces towards the Internet, which makes them easier to be attacked. Hence, software-based security solutions alone are insufficient to deal with the current scenario of distributed systems. They must be coupled with stronger means such as hardware-assisted protection. In order to allow the nodes in distributed system to trust each other, their integrity must be presented and assessed to predict their behaviour. The remote attestation technique of trusted computing was proposed to specifically deal with the integrity issue of remote entities, e.g. whether the platform is compromised with bootkit attacks or cracked kernel and services. This technique relies on a hardware chip called Trusted Platform Module (TPM), which is available in most business class laptops, desktops and servers. The TPM plays as the hardware root of trust, which provides a special set of capabilities that allows a physical platform to present its integrity state. With a TPM equipped in the motherboard, the remote attestation is the procedure that a physical node provides hardware-based proof of the software components loaded in this platform, which can be evaluated by other entities to conclude its integrity state. Thanks to the hardware TPM, the remote attestation procedure is resistant to software attacks. However, even though the availability of this chip is high, its actual usage is low. The major reason is that trusted computing has very little flexibility, since its goal is to provide strong integrity guarantees. For instance, remote attestation result is positive if and only if the software components loaded in the platform are expected and loaded in a specific order, which limits its applicability in real-world scenarios. For such reasons, this technique is especially hard to be applied on software services running in application layer, that are loaded in random order and constantly updated. Because of this, current remote attestation techniques provide incomplete solution. They only focus on the boot phase of physical platforms but not on the services, not to mention the services running in virtual instances. This work first proposes a new remote attestation framework with the capability of presenting and evaluating the integrity state not only of the boot phase of physical platforms but also of software services at load time, e.g. whether the software is legitimate or not. The framework allows users to know and understand the integrity state of the whole life cycle of the services they are interacting with, thus the users can make informed decision whether to send their data or trust the received results. Second, based on the remote attestation framework this thesis proposes a method to bind the identity of secure channel endpoint to a specific physical platform and its integrity state. Secure channels are extensively adopted in distributed systems to protect data transmitted from one platform to another. However, they do not convey any information about the integrity state of the platform or the service that generates and receives this data, which leaves ample space for various attacks. With the binding of the secure channel endpoint and the hardware TPM, users are protected from relay attacks (with hardware-based identity) and malicious or cracked platform and software (with remote attestation). Third, with the help of the remote attestation framework, this thesis introduces a new method to include the integrity state of software services running in virtual containers in the evidence generated by the hardware TPM. This solution is especially important for softwarised network environments. Softwarised network was proposed to provide dynamic and flexible network deployment which is an ever complex task nowadays. Its main idea is to switch hardware appliances to softwarised network functions running inside virtual instances, that are full-fledged computational systems and accessible from the Internet, thus their integrity is at stake. Unfortunately, currently remote attestation work is not able to provide hardware-based integrity evidence for software services running inside virtual instances, because the direct link between the internal of virtual instances and hardware root of trust is missing. With the solution proposed in this thesis, the integrity state of the softwarised network functions running in virtual containers can be presented and evaluated with hardware-based evidence, implying the integrity of the whole softwarised network. The proposed remote attestation framework, trusted channel and trusted softwarised network are implemented in separate working prototypes. Their performance was evaluated and proved to be excellent, allowing them to be applied in real-world scenarios. Moreover, the implementation also exposes various APIs to simplify future integration with different management platforms, such as OpenStack and OpenMANO

Security aspects of OSPF as a MANET routing protocol

OSPF, Open Shortest Path First, is an Intra-gateway routing protocol first developed as an IETF effort. It is widely adopted in large enterprise-scale networks, being well regarded for its fast convergence and loop-free routing. It is versatile in terms of which interface types it supports, such as point-to-point links or broadcast networks. It also offers scalability through hierarchical routing and by using centralization to reduce the amount of overhead on networks which have broadcast or broadcast-similar properties. An interface type missing from the standard so far is that of a wireless network, characterized by non-guaranteed bidirectional links combined with unreliable broadcasting, and existing interface types generally perform poorly under these networks. The IETF has therefore instituted a Working Group to standardize such an interface type extension to the latest version, OSPF version 3. This interface type will permit mobility and multi-hop characteristics in addition to those of wireless links in general. Such networks are usually referred to as Mobile Ad-hoc Networks (MANET). MANET routing protocols are subject to more severe security issues than ordinary, wireline-oriented protocols are. This thesis aims to indentify key security aspects of OSPF as a MANET routing protocol

Encaminhamento e segurança em redes veiculares

Mestrado em Engenharia Electrónica e TelecomunicaçõesThe growing research in vehicular network solutions provided the rise of interaction in these highly dynamic environments in the market. The developed architectures do not usually focus, however, in security aspects. Common security strategies designed for the Internet require IP. Since nodes' addresses in a vehicular network are too dynamic, such solutions would require cumbersome negotiations, which would make them unsuitable to these environments. The objective of this dissertation is to develop, and test a scalable, lightweight, layer 3 security protocol for vehicular networks, in which nodes of the network are able to set up long-term security associations with a Home Network, avoiding session renegotiations due to lack of connectivity and reduce the protocol stacking. This protocol allows to provide security independent of the nodes (vehicles) position, of its addressing and of the established path to access the Internet, allowing the mobility of vehicles and of its active sessions seamlessly without communication failures.O crescimento da investigação em redes veiculares provocou o aumento da interação nestes ambientes muito dinâmicos no mercado. As arquiteturas desenvolvidas não se focam, no entanto, na segurança. Estratégias comuns de segurança para a Internet, requerem sessões baseadas no IP. Como os endereços dos nós numa rede veicular, e a sua localização e caminhos até à Internet, são muito dinâmicos, as soluções já desenvolvidas para outro tipo de redes iriam requerer renegociações que teriam um grande impacto no desempenho destes ambientes. O objetivo desta dissertação será, portanto, desenvolver e testar um protocolo de segurança implementado na camada 3 para redes veiculares, que seja escalável e leve, em que os nós da rede conseguirão estabelecer associações de segurança de longa duração com a Home Network, evitando renegociações devidas à falta de conectividade, e reduzir o overhead devido ao empilhamento protocolar. Este protocolo permite ter segurança independentemente da posição dos nós (os veículos), do seu endereçamento e do caminho estabelecido para o acesso à Internet, permitindo assim mobilidade dos veículos e das sessões ativas de forma transparente sem falhas na comunicação

Privacy and Security Framework. OpenIoT Deliverable D522

This deliverable describes the Security and Privacy Framework of the OpenIoT platform, including details about its design and implementation. The aim of this framework is to ensure that Internet-Connected Objects (ICOs) contributing to the OpenIoT platform, its internal modules and external applications will communicate through secured IoT data interfaces (according to the target security/confidentiality level specified by the user). Moreover we show the feasibility of this security module in the implemented prototype, which is an integral part of the OpenIoT platform. In particular we describe the implementation of the Central Authorisation Server (CAS), the Security Management console, the Security Client, and the integration of the security framework in the core modules of the platform

An embedded sensor node microcontroller with crypto-processors

Wireless sensor network applications range from industrial automation and control, agricultural and environmental protection, to surveillance and medicine. In most applications, data are highly sensitive and must be protected from any type of attack and abuse. Security challenges in wireless sensor networks are mainly defined by the power and computing resources of sensor devices, memory size, quality of radio channels and susceptibility to physical capture. In this article, an embedded sensor node microcontroller designed to support sensor network applications with severe security demands is presented. It features a low power 16-bitprocessor core supported by a number of hardware accelerators designed to perform complex operations required by advanced crypto algorithms. The microcontroller integrates an embedded Flash and an 8-channel 12-bit analog-to-digital converter making it a good solution for low-power sensor nodes. The article discusses the most important security topics in wireless sensor networks and presents the architecture of the proposed hardware solution. Furthermore, it gives details on the chip implementation, verification and hardware evaluation. Finally, the chip power dissipation and performance figures are estimated and analyzed