Evaluating IP security on lightweight hardware

TCP/IP communications stack is being increasingly used to interconnect mobile phones, PDAs, sensor motes and other wireless embedded devices. Although the core functionality of communications protocols has been successfully adopted to lightweight hardware from the traditional Internet and desktop computers, suitability of strong security mechanisms on such devices remains questionable. Insufficient processor, memory and battery resources, as well as constraints of wireless communications limit the applicability of many existing security protocols that involve computationally intensive operations. Varying capabilities of devices and application scenarios with different security and operational requirements complicate the situation further and call for agile and flexible security systems. This study does an empirical evaluation of applicability of selected existing IP security mechanisms to lightweight (resource-constrained) devices. In particular, we evaluate various components of the Host Identity Protocol (HIP), standardized by the Internet Engineering Task Force for achieving authentication, shared key negotiation, secure mobility and multihoming and, if used with IPsec, integrity and confidentiality of user data. Involving a set of cryptographic operations, HIP might easily stress a lightweight client, while affecting performance of applications running on it and shortening battery lifetime of the device. We present a background and related work on network-layer security, as well as a set of measurement results of various security components obtained on devices representing lightweight hardware: embedded Linux PDAs, Symbian-based smartphones, OpenWrt Wi-Fi access routers and wireless sensor platforms. To improve computational and energy efficiency of HIP, we evaluate several lightweight mechanisms that can substitute standard protocol components and provide a good trade-off between security and performance in particular application scenarios. We describe cases where existing HIP security mechanisms (i) can be used unmodified and (ii) should be tailored or replaced to suit resource-constrained environments. The combination of presented security components and empirical results on their applicability can serve as a reference framework for building adaptable and flexible security services for future lightweight communication systems

Evaluating IP security and mobility on lightweight hardware

This work presents an empirical evaluation of applicability of selected existing IP security and mobility mechanisms to lightweight mobile devices and network components with limited resources and capabilities. In particular, we consider the Host Identity Protocol (HIP), recently specified by the IETF for achieving authentication, secure mobility and multihoming, data protection and prevention of several types of attacks. HIP uses the Diffie-Hellman protocol to establish a shared secret for two hosts, digital signatures to provide integrity of control plane and IPsec ESP encryption to protect user data. These computationally expensive operations might easily stress CPU, memory and battery resources of a lightweight client, as well as negatively affect data throughput and latency.We describe our porting experience with HIP on an embedded Linux PDA, a Symbian-based smartphone and two OpenWrt Wi-Fi access routers, thereby contributing to the protocol deployment. We present a set of measurement results of different HIP operations on these devices and evaluate the impact of public-key cryptography on the processor load, memory usage and battery lifetime, as well as the influence of the IPsec encryption on Round-Trip Time and TCP throughput. In addition, we assess how the lightweight hardware of a mobile handheld or a Wi-Fi access router in turn affects the duration of certain protocol operations including HIP base exchange, HIP mobility update, puzzle solving procedure and generation of an asymmetric key pair. After analyzing the empirical results we make conclusions and recommendations on applicability of unmodified HIP and IPsec to resource-constrained mobile devices. We also survey related work and draw parallels with our own research results

Performance of Host Identity Protocol on Lightweight Hardware ABSTRACT

The Host Identity Protocol (HIP) is being standardized by the IETF as a new solution for host mobility and multihoming in the Internet. HIP uses self-certifying public-private key pairs in combination with IPsec to authenticate hosts and protect user data. While there are three open-source HIP implementations, no experience is available with running HIP on lightweight hardware such as a PDA or a mobile phone. Limited computational power and battery lifetime of lightweight devices raises concerns if HIP can be used there at all. This paper presents performance measurements of HIP over WLAN on Nokia 770 Internet Tablet. It also provides comprehensive analysis of the results and makes suggestions on HIP suitability for lightweight clients

Distributed User Authentication in Wireless LANs

Abstract—An increasing number of mobile devices, including smartphones, use WLAN for accessing the Internet. Existing WLAN authentication mechanisms are either disruptive, such as presenting a captive web page prompting for password, or unreliable, enabling a malicious user to attack a part of operator’s infrastructure. In this paper, we present a distributed authentication architecture for WLAN users providing instant network access without manual interactions. It supports terminal mobility across WLAN access points with the Host Identity Protocol (HIP), at the same time protecting the operator’s infrastructure from external attacks. User data sent over a wireless link is protected by the IPsec ESP protocol. We present our architecture design and implementation experience on two OpenWrt WLAN access points, followed by measurement results of the working prototype. The system is being deployed into pilot use in the city-wide panOULU WLAN. I