1,716 research outputs found
Short Paper: On Deployment of DNS-based Security Enhancements
Although the Domain Name System (DNS) was designed as a naming system, its
features have made it appealing to repurpose it for the deployment of novel
systems. One important class of such systems are security enhancements, and
this work sheds light on their deployment. We show the characteristics of these
solutions and measure reliability of DNS in these applications. We investigate
the compatibility of these solutions with the Tor network, signal necessary
changes, and report on surprising drawbacks in Tor's DNS resolution.Comment: Financial Cryptography and Data Security (FC) 201
Modeling Data-Plane Power Consumption of Future Internet Architectures
With current efforts to design Future Internet Architectures (FIAs), the
evaluation and comparison of different proposals is an interesting research
challenge. Previously, metrics such as bandwidth or latency have commonly been
used to compare FIAs to IP networks. We suggest the use of power consumption as
a metric to compare FIAs. While low power consumption is an important goal in
its own right (as lower energy use translates to smaller environmental impact
as well as lower operating costs), power consumption can also serve as a proxy
for other metrics such as bandwidth and processor load.
Lacking power consumption statistics about either commodity FIA routers or
widely deployed FIA testbeds, we propose models for power consumption of FIA
routers. Based on our models, we simulate scenarios for measuring power
consumption of content delivery in different FIAs. Specifically, we address two
questions: 1) which of the proposed FIA candidates achieves the lowest energy
footprint; and 2) which set of design choices yields a power-efficient network
architecture? Although the lack of real-world data makes numerous assumptions
necessary for our analysis, we explore the uncertainty of our calculations
through sensitivity analysis of input parameters
PKI Safety Net (PKISN): Addressing the Too-Big-to-Be-Revoked Problem of the TLS Ecosystem
In a public-key infrastructure (PKI), clients must have an efficient and
secure way to determine whether a certificate was revoked (by an entity
considered as legitimate to do so), while preserving user privacy. A few
certification authorities (CAs) are currently responsible for the issuance of
the large majority of TLS certificates. These certificates are considered valid
only if the certificate of the issuing CA is also valid. The certificates of
these important CAs are effectively too big to be revoked, as revoking them
would result in massive collateral damage. To solve this problem, we redesign
the current revocation system with a novel approach that we call PKI Safety Net
(PKISN), which uses publicly accessible logs to store certificates (in the
spirit of Certificate Transparency) and revocations. The proposed system
extends existing mechanisms, which enables simple deployment. Moreover, we
present a complete implementation and evaluation of our scheme.Comment: IEEE EuroS&P 201
FAIR: Forwarding Accountability for Internet Reputability
This paper presents FAIR, a forwarding accountability mechanism that
incentivizes ISPs to apply stricter security policies to their customers. The
Autonomous System (AS) of the receiver specifies a traffic profile that the
sender AS must adhere to. Transit ASes on the path mark packets. In case of
traffic profile violations, the marked packets are used as a proof of
misbehavior.
FAIR introduces low bandwidth overhead and requires no per-packet and no
per-flow state for forwarding. We describe integration with IP and demonstrate
a software switch running on commodity hardware that can switch packets at a
line rate of 120 Gbps, and can forward 140M minimum-sized packets per second,
limited by the hardware I/O subsystem.
Moreover, this paper proposes a "suspicious bit" for packet headers - an
application that builds on top of FAIR's proofs of misbehavior and flags
packets to warn other entities in the network.Comment: 16 pages, 12 figure
BlockPKI: An Automated, Resilient, and Transparent Public-Key Infrastructure
This paper describes BlockPKI, a blockchain-based public-key infrastructure
that enables an automated, resilient, and transparent issuance of digital
certificates. Our goal is to address several shortcomings of the current TLS
infrastructure and its proposed extensions. In particular, we aim at reducing
the power of individual certification authorities and make their actions
publicly visible and accountable, without introducing yet another trusted third
party. To demonstrate the benefits and practicality of our system, we present
evaluation results and describe our prototype implementation.Comment: Workshop on Blockchain and Sharing Economy Application
Mujer, madre y ciudadana: Peronismo y antiperonismo en la reivindicación de los derechos femeninos.
El propósito de este trabajo es operar deconstructivamente sobre el imaginario femenino del peronismo a fin de mostrar cómo la supuesta innovación de éste respecto a la reivindicación de los derechos de las mujeres, en especial el derecho al voto, es abatida en un discurso paradójico en donde la ‘mujer’ está sobredeterminada por el ser ‘madre’, o sujeto maternal. Esta situación paradojal, la necesidad de aceptar y rechazar a la vez la diferencia sexual, muestra una tensión irresoluble que se resignifica históricamente y de la cual el peronismo no puede escapar. Si bien las mujeres antiperonistas colocan más de una vez su disputa con este último en términos del modo en que Eva Perón conceptualiza a la mujer, es posible advertir que ellas también tienen sólo paradojas para ofrecer
SDNsec: Forwarding Accountability for the SDN Data Plane
SDN promises to make networks more flexible, programmable, and easier to
manage. Inherent security problems in SDN today, however, pose a threat to the
promised benefits. First, the network operator lacks tools to proactively
ensure that policies will be followed or to reactively inspect the behavior of
the network. Second, the distributed nature of state updates at the data plane
leads to inconsistent network behavior during reconfigurations. Third, the
large flow space makes the data plane susceptible to state exhaustion attacks.
This paper presents SDNsec, an SDN security extension that provides
forwarding accountability for the SDN data plane. Forwarding rules are encoded
in the packet, ensuring consistent network behavior during reconfigurations and
limiting state exhaustion attacks due to table lookups. Symmetric-key
cryptography is used to protect the integrity of the forwarding rules and
enforce them at each switch. A complementary path validation mechanism allows
the controller to reactively examine the actual path taken by the packets.
Furthermore, we present mechanisms for secure link-failure recovery and
multicast/broadcast forwarding.Comment: 14 page
- …