65,155 research outputs found
A Novel Approach to Transport-Layer Security for Spacecraft Constellations
Spacecraft constellations seek to provide transformational services from increased environmental awareness to reduced-latency international finance. This connected future requires trusted communications. Transport-layer security models presume link characteristics and encapsulation techniques that may not be sustainable in a networked constellation. Emerging transport layer protocols for space communications enable new transport security protocols that may provide a pragmatic alternative to deploying Internet security mechanisms in space. The Bundle Protocol (BP) and Bundle Protocol Security (BPSec) protocol have been designed to provide such an alternative.
BP is a store-and-forward alternative to IP that carries session information as secondary headers. BPSec uses BP’s featureful secondary header mechanism to hold security information and security results. In doing so, BPSec provides an in-packet augmentation alternative to security by encapsulation. BPSec enables features such as security-at-rest, separate encryption/signing of individual protocol headers, and the ability to add secondary headers and secure them at waypoints in the network. These features provided by BPSec change the system trades associated with networked constellations. They enable security at rest, secure content caching, and deeper inspection at gateways otherwise obscured by tunneling
Analysis of the DoIP Protocol for Security Vulnerabilities
DoIP, which is defined in ISO 13400, is a transport protocol stack for
diagnostic data. Diagnostic data is a potential attack vector at vehicles, so
secure transmission must be guaranteed to protect sensitive data and the
vehicle. Previous work analyzed a draft version and earlier versions of the
DoIP protocol without Transport Layer Security (TLS). No formal analysis exists
for the DoIP protocol. The goal of this work is to investigate the DoIP
protocol for design flaws that may lead to security vulnerabilities and
possible attacks to exploit them. For this purpose, we deductively analyze the
DoIP protocol in a first step and subsequently confirm our conclusions
formally. For the formal analysis, we use the prover Tamarin. Based on the
results, we propose countermeasures to improve the DoIP's security.We showthat
the DoIP protocol cannot be considered secure mainly because the security
mechanisms TLS and client authentication in the DoIP protocol are not
mandatory. We propose measures to mitigate the vulnerabilities thatwe confirm
to remain after activating TLS. These require only a minor redesign of the
protocol
Implementation of Event-Based Dynamic Authentication on MQTT Protocol
This paper proposes an authentication mechanism on the MQ Telemetry Transport (MQTT) protocol. The exchange of data in the IoT system became an important activity. The MQTT protocol is a fast and lightweight communication protocol for IoT. One of the problems with the MQTT protocol is that there is no security mechanism in the initial setup. One security attack may occur during the client registration phase. The client registration phase has a vulnerability to accept false clients due to the absence of an authentication mechanism. An authentication mechanism has been previously made using Transport Layer Security (TLS). However, the TLS mechanism consumes more than 100 KB of data memory and is not suitable for devices that have limitations. Therefore, a suitable authentication mechanism for constraint devices is required. This paper proposes a protocol for authentication mechanisms using dynamic and event-based authentication for the MQTT protocol. The eventbased is used to reduce the computing burden of constraint devices. Dynamic usage is intended to provide different authentication properties for each session so that it can improve authentication security. As results, the applied of the event-based dynamic authentication protocol was successful in the constraint devices of microcontrollers and broker. The microcontroller, as a client, is able to process the proposed protocol. The client uses 52% of the memory for the proposed protocol and only consumes 2% higher than the protocol without security. The broker can find authentic clients and constraint devices capable of computing to carry out mutual authentication processes to clients. The broker uses a maximum of 4.3 MB of real memory and a maximum CPU usage of 3.7%
Improving efficiency and security of IIoT communications using in-network validation of server certificate
The use of advanced communications and smart mechanisms in industry is growing rapidly, making cybersecurity a critical aspect. Currently, most industrial communication protocols rely on the Transport Layer Security (TLS) protocol to build their secure version, providing confidentiality, integrity and authentication. In the case of UDP-based communications, frequently used in Industrial Internet of Things (IIoT) scenarios, the counterpart of TLS is Datagram Transport Layer Security (DTLS), which includes some mechanisms to deal with the high unreliability of the transport layer. However, the (D)TLS handshake is a heavy process, specially for resource-deprived IIoT devices and frequently, security is sacrificed in favour of performance. More specifically, the validation of digital certificates is an expensive process from the time and resource consumption point of view. For this reason, digital certificates are not always properly validated by IIoT devices, including the verification of their revocation status; and when it is done, it introduces an important delay in the communications. In this context, this paper presents the design and implementation of an in-network server certificate validation system that offloads this task from the constrained IIoT devices to a resource-richer network element, leveraging data plane programming (DPP). This approach enhances security as it guarantees that a comprehensive server certificate verification is always performed. Additionally, it increases performance as resource-expensive tasks are moved from IIoT devices to a resource-richer network element. Results show that the proposed solution reduces DTLS handshake times by 50–60 %. Furthermore, CPU use in IIoT devices is also reduced, resulting in an energy saving of about 40 % in such devices.This work was financially supported by the Spanish Ministry of Science and Innovation through the TRUE-5G project PID2019-108713RB-C54/AEI/10.13039/501100011033. It was also partially supported by the Ayudas Cervera para Centros Tecnológicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) under the project EGIDA (CER-20191012), and by the Basque Country Government under the ELKARTEK Program, project REMEDY - Real tiME control and embeddeD securitY (KK-2021/00091)
SIGMA: A mobility architecture for terrestrial and space networks.
Internet Protocol (IP) mobility can be handled at different layers of the protocol stack. Mobile IP has been developed to handle mobility of Internet hosts at the network layer. Mobile IP suffers from a number of drawbacks such as the requirement for infrastructure change, high handover latency, high packet loss rate, and conflict with network security solutions. As an alternative solution, a few transport layer mobility protocols have been proposed in the context of Transmission Control Protocol (TCP), for example, MSOCKS and TCP connection migration. In this dissertation, a S&barbelow; eamless I&barbelow; P-diversity-based G&barbelow; eneralized M&barbelow; obility Architecture (SIGMA) is described. SIGMA works at the transport layer and utilizes IP diversity to achieve seamless handover, and is designed to solve many of the drawbacks of Mobile IP. It can also cooperate with normal IPv4 or IPv6 infrastructure without the support of Mobile IP. The handover performance, signaling cost, and survivability issues of SIGMA are evaluated and compared with those of Mobile IP. A hierarchical location management scheme for SIGMA is developed to reduce the signaling cost of SIGMA, which is also useful to other transport layer mobility solutions. SIGMA is shown to be also applicable to managing satellite handovers in space. Finally, the interoperability between SIGMA and existing Internet security mechanisms is discussed
Options for Securing RTP Sessions
The Real-time Transport Protocol (RTP) is used in a large number of
different application domains and environments. This heterogeneity
implies that different security mechanisms are needed to provide
services such as confidentiality, integrity, and source
authentication of RTP and RTP Control Protocol (RTCP) packets
suitable for the various environments. The range of solutions makes
it difficult for RTP-based application developers to pick the most
suitable mechanism. This document provides an overview of a number
of security solutions for RTP and gives guidance for developers on
how to choose the appropriate security mechanism
Automatic Intent-Based Secure Service Creation Through a Multilayer SDN Network Orchestration
Growing traffic demands and increasing security awareness are driving the
need for secure services. Current solutions require manual configuration and
deployment based on the customer's requirements. In this work, we present an
architecture for an automatic intent-based provisioning of a secure service in
a multilayer - IP, Ethernet, and optical - network while choosing the
appropriate encryption layer using an open-source software-defined networking
(SDN) orchestrator. The approach is experimentally evaluated in a testbed with
commercial equipment. Results indicate that the processing impact of secure
channel creation on a controller is negligible. As the time for setting up
services over WDM varies between technologies, it needs to be taken into
account in the decision-making process.Comment: Parts of the presented work has received funding from the European
Commission within the H2020 Research and Innovation Programme, under grant
agreeement n.645127, project ACIN
- …