91 research outputs found
Simple authentication and security layer incorporating extensible authentication protocol
There are many methods that support user authentication and access control, important roles in the establishment of secure communication. Particularly, we examine Simple Authentication and Security Layer (SASL) and Extensible Authentication Protocol (EAP) and propose EAP-Advanced Encryption Standard-Pre-Shared-Key (EAP-AES-PSK). SASL is an authentication framework in connection-oriented protocols. EAP is an authentication framework providing multiple authentication methods. SASL is vulnerable to the dictionary attack, replay attack, and Man-In-The-Middle attack as well as the re-keying issue. We propose to incorporate EAP into SASL to enhance the security of SASL and to provide a pathway for easy incorporation of future EAP enhancements into SASL. Standalone EAP still faces some common attacks. We propose EAP-AES-PSK, a new EAP method, to provide strong authentication and we implement this method on the Cyrus SASL implementation: one of the publicly available SASL implementations. This project is evaluated through the verification of functionality of a SASL application incorporating EAR Further, we argue how the common security risks associated with SASL are addressed, and we complete a performance evaluation of the new method incorporated into SASL
A pragmatic approach: Achieving acceptable security mechanisms for high speed data transfer protocol-UDT
The development of next generation protocols, such as UDT (UDP-based data transfer), promptly addresses various infrastructure requirements for transmitting data in high speed networks. However, this development creates new vulnerabilities when these protocols are designed to solely rely on existing security solutions of existing protocols such as TCP and UDP. It is clear that not all security protocols (such as TLS) can be used to protect UDT, just as security solutions devised for wired networks cannot be used to protect the unwired ones. The development of UDT, similarly in the development of TCP/UDP many years ago, lacked a well-thought security architecture to address the problems that networks are presently experiencing. This paper proposes and analyses practical security mechanisms for UDT
Internet X.509 Public Key Infrastructure Operational Protocols -- LDAPv3
This document describes the features of the Lightweight Directory Access Protocol v3 that are needed in order to support a public key infrastructure based on X.509 certificates and CRLs
Supporting Massive Mobility with stream processing software
The goal of this project is to design a solution for massive mobility using LISP protocol
and scalable database systems like Apache Kafka. The project consists of three steps:
rst, understanding the requirements of the massive mobility scenario; second, designing
a solution based on a stream processing software that integrates with OOR (open-source
LISP implementation). Third, building a prototype with OOR and a stream processing
software (or a similar technology) and evaluating its performance.
Our objectives are: Understand the requirements in an environment for massive mo-
bility;Learn and evaluate the architecture of Apache Kafka and similar broker messages
to see if these tools could satisfy the requirements; Propose an architecture for massive
mobility using protocol LISP and Kafka as mapping system, and nally; Evaluate the
performance of Apache Kafka using such architecture.
In chapters 3 and 4 we will provide a summary of LISP protocol, Apache Kafka and
other message brokers. On these chapters we describe the components of these tools and
how we can use such components to achieve our objective. We will be evaluating the
di erent mechanisms to 1) authenticate users, 2) access control list, 3) protocols to assure
the delivery of the message, 4)integrity and 5)communication patterns. Because we are
interested only in the last message of the queue, it is very important that the broker
message provides a capability to obtain this message.
Regarding the proposed architecture, we will see how we adapted Kafka to store the
information managed by the mapping system in LISP. The EID in LISP will be repre-
sented by topics in Apache Kafka., It will use the pattern publish-subscribe to spread the
noti cation between all the subscribers. xTRs or Mobile devices will be able to play the
role of Consumers and Publisher of the message brokers. Every topic will use only one
partition and every subscriber will have its own consumer group to avoid competition to
consume the messages.
Finally we evaluate the performance of Apache Kafka. As we will see, Kafka escalates
in a Linear way in the following cases: number of packets in the network in relation with
the number of topics, number of packets in the network in relation with the number of
subscribers, number of opened les by the server in relation with the number of topics
time elapsed between the moment when publisher sends a message and subscriber receives
it, regarding to the number of topics.
In the conclusion we explain which objectives were achieved and why there are some
challenges to be faced by kafka especially in two points: 1) we need only the last location
(message) stored in the broker since Kafka does not provide an out of the box mechanism
to obtain such messages, and 2) the amount of opened les that have to be managed
simultaneously by the server. More study is required to compare the performance of
Kafka against other tools
Securing data transfer in the cloud through introducing identification packet and UDT-authentication option field: a characterization
The emergence of various technologies has since pushed researchers to develop
new protocols that support high density data transmissions in Wide Area
Networks. Many of these protocols are TCP protocol variants, which have
demonstrated better performance in simulation and several limited network
experiments but have limited practical applications because of implementation
and installation difficulties. On the other hand, users who need to transfer
bulk data (e.g., in grid/cloud computing) usually turn to application level
solutions where these variants do not fair well. Among protocols considered in
the application level solutions are UDP-based protocols, such as UDT (UDP-based
Data Transport Protocol) for cloud /grid computing. Despite the promising
development of protocols like UDT, what remains to be a major challenge that
current and future network designers face is to achieve survivability and
security of data and networks. Our previous research surveyed various security
methodologies which led to the development of a framework for UDT. In this
paper we present lowerlevel security by introducing an Identity Packet (IP) and
Authentication Option (AO) for UDT.Comment: 17 page
Recommended from our members
Security Mechanisms for the Internet
Security must be built into Internet Protocols for those protocols to offer their services securely. Many security problems can be traced to improper implementations. However, even a proper implementation will have security problems if the fundamental protocol is itself exploitable. Exactly how security should be implemented in a protocol will vary, because of the structure of the protocol itself. However, there are many protocols for which standard Internet security mechanisms, already developed, may be applicable. The precise one that is appropriate in any given situation can vary. We review a number of different choices, explaining the properties of each
Distributed authentication for resource control
This thesis examines distributed authentication in the process of controlling computing resources. We investigate user sign-on and two of the main authentication technologies that can be used to control a resource through authentication and providing additional security services. The problems with the existing sign-on scenario are that users have too much credential information to manage and are prompted for this information too often. Single Sign-On (SSO) is a viable solution to this problem if physical procedures are introduced to minimise the risks associated with its use. The Generic Security Services API (GSS-API) provides security services in a manner in- dependent of the environment in which these security services are used, encapsulating security functionality and insulating users from changes in security technology. The un- derlying security functionality is provided by GSS-API mechanisms. We developed the Secure Remote Password GSS-API Mechanism (SRPGM) to provide a mechanism that has low infrastructure requirements, is password-based and does not require the use of long-term asymmetric keys. We provide implementations of the Java GSS-API bindings and the LIPKEY and SRPGM GSS-API mechanisms. The Secure Authentication and Security Layer (SASL) provides security to connection- based Internet protocols. After finding deficiencies in existing SASL mechanisms we de- veloped the Secure Remote Password SASL mechanism (SRP-SASL) that provides strong password-based authentication and countermeasures against known attacks, while still be- ing simple and easy to implement. We provide implementations of the Java SASL binding and several SASL mechanisms, including SRP-SASL
A Practical Study of E-mail Communication through SMTP
Simple Mail Transfer Protocol (SMTP) is an application layer protocol for e-mail communication. It has been adopted as a standard by Internet Engineering Task Force (IETF). SMTP has set conversational and grammatical rules for exchanging messages between connected computers. It has evolved through several revisions and extensions since its formation by Jon Postel in 1981. In SMTP, the sender establishes a full-duplex transmission channel with a receiver. The receiver may be either the ultimate destination or an intermediate forwarding agent. SMTP commands are issued by the sender and are sent to the receiver, which responds to these commands through codes. Each SMTP session between the sender and the receiver consists of three phases namely: connection establishment, mail transactions and connection termination. This paper describes and illustrates the process of e-mail communication through SMTP by issuing the individual SMTP commands directly to transmit e-mail messages. It also describes individual SMTP commands and extensions with practical implementation using a Telnet client
- …