advances in ad hoc networking packet level authentication
play

Advances in ad hoc networking: Packet Level Authentication Dmitrij - PowerPoint PPT Presentation

Feb 22, 2023 •323 likes •542 views

Advances in ad hoc networking: Packet Level Authentication Dmitrij Lagutin, dlagutin@cc.hut.fi T-79.5401 Special Course in Mobility Management: Ad hoc networks, 2.5.2007 Contents Introduction Packet Level Authentication

  1. Advances in ad hoc networking: Packet Level Authentication Dmitrij Lagutin, dlagutin@cc.hut.fi T-79.5401 Special Course in Mobility Management: Ad hoc networks, 2.5.2007

  2. Contents ● Introduction ● Packet Level Authentication ● Implementation of Packet Level Authentication ● Applications of Packet Level Authentication ● Conclusions 2

  3. Introduction ● The Internet was designed to survive a nuclear war, but it was not designed to be secure against internal attacks – As a result, the Internet infrastructure is very vulnerable to different kinds of attacks ● Distributed denial of service attacks are easy to launch against nodes of Internet ● Packets that are moving through Internet can be easily forged, duplicated or delayed 3

  4. Introduction ● These kind of attacks consume network's resources and they are dangerous especially in wireless and ad hoc networks since such networks have very limited resources ● Most current security solutions like IPSec concentrate on end-to-end security – They do not protect underlying Internet infrastructure, only the endpoints of the connection will notice if packets have been modified – They are useless if the Internet infrastructure is attacked and as result it is unable to deliver packets to destination 4

  5. Packet Level Authentication ● A Packet Level Authentication (PLA) is a novel solution to protect IP networks against different kinds of attacks ● The aim of the PLA is to make it possible to verify authenticity of packets without having any kind of contact with the sender of the packet ● Analogy: Money, sales clerk can verify authenticity of the Euro note without having a contact with the bank that has issued the note. It is enough to check security measures in the note like watermark, hologram, metal string etc. 5

  6. Packet Level Authentication ● Design goals of the PLA include – Validation of packets ● Modification detection ● Duplicate detection ● Delay detection – Survivable in dynamic and hostile environment – Ability to add new nodes to the network and remove compromised nodes from the network – Scalability – Minimum traffic overhead – Minimum trust between nodes 6

  7. Packet Level Authentication ● The idea of the PLA is that every node in the network, e.g. a router, can detect forged, duplicated and delayed packets immediately and discard them ● The PLA allows attacks to be stopped quickly, before they consume a large amount of network resources and before they inflict a significant damage ● The PLA utilizes public key cryptography and it introduces additional header on top of standard IPv6 header – Elliptic curve cryptography (ECC) is used because it has very compact keys. 160 bit ECC key that is used with the PLA is as strong as 1024 bit RSA key. 7

  8. PLA: Header ● The PLA header includes: – The public key of the sender – A certificate where the Trusted Third Party (TTP) authorizes the sender. A TTP could be for example an operator. This guarantees that the sender is a trusted entity. – A time stamp to detect delayed packets – A monotonically increasing sequence number to make detection of duplicated packets possible – The cryptographic signature over the whole packet with sender's private key, this guarantees that forged packets will be easily detected because forgery breaks the signature 8

  9. PLA: Trusted Third Parties ● The aim of the TTP is to authorize nodes that are sending PLA packets. If the node is hostile, TTP will not grant the node a new certificate, and without a proper certificate from TTP, node cannot communicate using the PLA ● The node that is checking packets must also to be able to check wherever the TTP that has authorized the sender can be trusted – If the packet has a correct signature, correct TTP certificate and the TTP can be trusted, then the packet is authentic and it has been sent by a legitimate node 9

  10. Software implementation ● Experimental PLA implementation exists for Linux – The implementation consists of a Linux kernel module and userspace applications – Source code is available from: http://www.tcs.hut.fi/Software/PLA/new/Download.shtml – Handling cryptographic operations with general purpose CPU is quite slow. Round trip time through of PLA packets two PLA enabled routers (2GHz Athlon64 PCs) is about 60ms. – In the future, hardware acceleration can be used to increase performance of cryptographic operations 10

  11. Hardware acceleration for cryptographic operations ● Field Programmable Gate Array (FPGA) chip can be used for increasing the performance of cryptographic operations like signing packets and verifications of signatures ● FPGAs produce very large performance improvement in specialized tasks compared to general purpose processors ● Various hardware implementations of elliptic curve cryptography have produced a good performance and energy efficiency 11

  12. Hardware acceleration for cryptographic operations ● Preliminary results achieved in the PLA project with the FPGA accelerator are encouraging ● With Altera Stratix II FPGA chip it is possible to achieve about 165000 ECC verifications per second – With 150MHz clock speed and 19 computational blocks ● Assuming 5kbit payload per packet, this equals to 840Mbps of traffic – With maximum data payload (about 10kbit per packet) this equals to 1.68Gbps of traffic – Thus the scalability of the PLA is good as long as dedicated hardware acceleration is used to handle cryptographic operations 12

  13. Applications of PLA ● The PLA has been designed for protecting IP network from attacks, however the PLA can also be utilized for other tasks ● The sequence number that is present in the PLA header can be used by operators for per packet billing – A monotonically increasing sequence number together with sender's signature provide a proof that the sender has sent the packet – A sequence number could be increased by the size of packet, this would allow billing based on the amount of data that the sender has sent 13

  14. Applications of PLA: Controlling incoming connections ● Traditionally the initiator of the connection controls it, however this can cause problems – The recipient of the connection may use a mobile access network with a limited bandwidth and may even have to pay for all incoming traffic – The recipient is busy and does not want to receive unnecessary connections ● Limiting the incoming connections would also make much harder to initiate denial of service attacks against the recipient or the recipient's network 14

  15. Applications of PLA: Controlling incoming connections ● New policy: All incoming connections are denied before they reach the recipient, only explicitly allowed connections will go through ● Implementation using certificates: – The recipient authorizes certain parties to create incoming connections to itself using certificates. – The firewall in recipient's network blocks unauthorized connections before they reach the recipient. ● The PLA is necessary to ensure that the data is really sent by a certified party 15

  16. Controlling incoming connections: Example 16

  17. Applications of PLA: Controlling incoming connections ● Proxy – The recipient trusts in proxy and the proxy can give certificates to other trusted parties for making incoming connections to the recipient – The proxy also keeps track of the recipient's IP address if the recipient is changing networks – In order to eliminate a single point of failure, proxies form a Distributed Hast Table (DHT) network 17

  18. Applications of PLA: Controlling incoming connections ● Firewall – Is located in the recipient's access network – Takes notice of certificates that are passing through it – Blocks all connections to the network unless the recipient is a valid entity within the network and the incoming connection has been explicitly allowed via certificates. Public key in PLA header of the packet must match with the public key of the certificate that is given in step 1. 18

  19. Applications of PLA: Ad hoc networks ● Ad hoc networks are severely limited by resources like energy and bandwidth ● Various attacks against ad hoc networks can consume significant amount of network's resources and thus make the network unusable or decrease the lifetime of the network ● PLA requires more processing power, however since PLA allows attacks to be stopped quickly, it can prolong lifetime of the network in situations where the network is frequently attacked 19

  20. Conclusions ● Current Internet infrastructure has not been designed with security in mind ● The aim of the PLA is to allow for every node to detect forged, duplicated and delayed packets, thus possible attacks can be stopped quickly ● The PLA does not produce high computational overhead if a hardware acceleration is used for cryptographic calculations – Small key size of ECC limits bandwidth overhead ● The PLA can be utilized also for other tasks like billing of controlling incoming connections 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How to authenticate a data packet containing the electricity usage of a room at certain time? Data is signed, but how to verify the signature?

224 views • 19 slides
Scheduling in Wireless Networks With Packet-Level and Flow-Level Dynamics Ramin Khalili Reading

Scheduling in Wireless Networks With Packet-Level and Flow-Level Dynamics Ramin Khalili Reading

Scheduling in Wireless Networks With Packet-Level and Flow-Level Dynamics Ramin Khalili Reading Group: 01.02.2011 1 Outline network model packet-level scheduling flow-level scheduling multi-channel case conclusion 2

328 views • 22 slides
Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics

Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics

Networking Don Porter CSE 506 Networking (2 parts) Goals: Review networking basics Discuss APIs Trace how a packet gets from the network device to the application (and back) Understand Receive livelock and NAPI 4

761 views • 48 slides
Introduction to IP networking Olof Hagsand KTH CSC 1 Example: Packet transfer www.server.org

Introduction to IP networking Olof Hagsand KTH CSC 1 Example: Packet transfer www.server.org

DD2395 p2 2011 Introduction to IP networking Olof Hagsand KTH CSC 1 Example: Packet transfer www.server.org An end host requests a web-page from a server via a local-area network The aim of this lecture is to give an overview of how

691 views • 30 slides
1 Recovery From Packet Loss Loss is in a broader sense: packet never arrives or arrives

1 Recovery From Packet Loss Loss is in a broader sense: packet never arrives or arrives

Multimedia Networking Last time Principles Classify multimedia Multimedia Networking Applications applications Streaming stored audio and video Identify the network Today services the apps Real-time Multimedia: Internet

326 views • 17 slides
A Framework for Qualitative Communications Using Big Packet Protocol 2 nd Workshop on Networking

A Framework for Qualitative Communications Using Big Packet Protocol 2 nd Workshop on Networking

A Framework for Qualitative Communications Using Big Packet Protocol 2 nd Workshop on Networking for Emerging Applications and Technologies (NEAT 2019) 19 th August 2019 Richard Li 1 , Kiran Makhijani 1 , Hamed Yousefi 1 , Cedric Westphal 1,2 ,

390 views • 28 slides
NETWORKING NETWORKING PART 1: Basic ic conce cepts PART 1: Basic concepts Agenda Agenda

NETWORKING NETWORKING PART 1: Basic ic conce cepts PART 1: Basic concepts Agenda Agenda

Moreno Baricevic CNR-INFM DEMOCRITOS Trieste, ITALY INTRO TO INTRO TO NETWORKING NETWORKING PART 1: Basic ic conce cepts PART 1: Basic concepts Agenda Agenda Connections Connections Concept of Packet Concept of Packet Network Stack

515 views • 33 slides
CS 457 Networking and the Internet Fall 2016 Indrajit Ray Packet Switching Topics

CS 457 Networking and the Internet Fall 2016 Indrajit Ray Packet Switching Topics

9/15/16 CS 457 Networking and the Internet Fall 2016 Indrajit Ray Packet Switching Topics Learning bridges/switches Spanning tree algorithm Virtual LANs 1 9/15/16 Switches: Traffic Isolation Switch breaks subnet into LAN

221 views • 8 slides
Chapter 7 Networking Support Contents Packet-switched networks. The Internet. Web

Chapter 7 Networking Support Contents Packet-switched networks. The Internet. Web

Chapter 7 Networking Support Contents Packet-switched networks. The Internet. Web access and TCP congestion control. Network management; class-based queuing. Cloud interconnection networks. Storage area networks.

779 views • 46 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Recent Advances in Machine Learning And Their Application to Networking David Meyer

Recent Advances in Machine Learning And Their Application to Networking David Meyer

Recent Advances in Machine Learning And Their Application to Networking David Meyer dmm@{brocade.com,uoregon.edu,1-4-5.net,..} http://www.1-4-5.net/~dmm/talks/2015/thursday_lunch_ietf93.pptx IETF 93 23 July 2015 Prague, Czech Republic Goals

386 views • 38 slides
Software Defined Networking OpenFlow and NOX ECE/CS598HPN Radhika Mittal Acknowledgements:

Software Defined Networking OpenFlow and NOX ECE/CS598HPN Radhika Mittal Acknowledgements:

Software Defined Networking OpenFlow and NOX ECE/CS598HPN Radhika Mittal Acknowledgements: Yashar Ganjali, Univ. of Toronto Software Defined Network (SDN) Feature Feature Network OS Packet Forwarding Packet Forwarding Packet

772 views • 36 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Towards High- -performance performance Towards High Flow- -level Packet Processing level

Towards High- -performance performance Towards High Flow- -level Packet Processing level

Towards High- -performance performance Towards High Flow- -level Packet Processing level Packet Processing Flow on Multi- -core Network Processors core Network Processors on Multi Yaxuan Qi (presenter), Bo Xu, Fei He, Baohua Yang,

568 views • 27 slides
CS101 Lecture 17: Networking Circuit Switching Packet Switching Aaron Stevens (azs@bu.edu) 4

CS101 Lecture 17: Networking Circuit Switching Packet Switching Aaron Stevens (azs@bu.edu) 4

3/4/13 CS101 Lecture 17: Networking Circuit Switching Packet Switching Aaron Stevens (azs@bu.edu) 4 March 2013 Computer Science What Youll Learn Today Computer Science What is a communications network? What are the implications of

357 views • 11 slides
Fourth Quarter 2015 Conference Call February 9, 2016 Forward-Looking Statements Certain

Fourth Quarter 2015 Conference Call February 9, 2016 Forward-Looking Statements Certain

Fourth Quarter 2015 Conference Call February 9, 2016 Forward-Looking Statements Certain information contained in this presentation constitutes forward-looking statements for purposes of the safe harbor provisions of The Private Securities

332 views • 32 slides
Proposed GBP 30.5NC10.5 Tier 2 Offering Inclusive capitalism underpins our strategy April 2020

Proposed GBP 30.5NC10.5 Tier 2 Offering Inclusive capitalism underpins our strategy April 2020

Proposed GBP 30.5NC10.5 Tier 2 Offering Inclusive capitalism underpins our strategy April 2020 Executive Summary UK market leader in managing risk, being the UKs leader in bulk annuities, life insurance and other retirement products for

432 views • 39 slides
Overview of Nyrstars EUR 490M Rights Issue Heinz Eigner , Chief Financial Officer 19 March

Overview of Nyrstars EUR 490M Rights Issue Heinz Eigner , Chief Financial Officer 19 March

Overview of Nyrstars EUR 490M Rights Issue Heinz Eigner , Chief Financial Officer 19 March 2012 1 Important Notice - This presentation has been prepared by the management of Nyrstar NV (the "Company"). It does not constitute or

399 views • 23 slides
Investor presenta,on May 2018 Disclaimer This document is not

Investor presenta,on May 2018 Disclaimer This document is not

Disrup,ng mobile payments Investor presenta,on May 2018 Disclaimer This document is not for release, distribu,on or publica,on, whether directly or indirectly

288 views • 12 slides
Restructuring Update 17-21 May 2010 Page 1 Disclaimer

Restructuring Update 17-21 May 2010 Page 1 Disclaimer

Restructuring Update 17-21 May 2010 Page 1 Disclaimer

874 views • 69 slides
Solid Start to FY2011 Shinsei Bank, Limited September 2011 Overview Management 1. Medium-Term

Solid Start to FY2011 Shinsei Bank, Limited September 2011 Overview Management 1. Medium-Term

Solid Start to FY2011 Shinsei Bank, Limited September 2011 Overview Management 1. Medium-Term Management Plan and Management Commitment Commitment 2. Off to a Good Start Highlights 3. Loan Balance Shows Signs of Bottoming-out Business 4.

368 views • 35 slides
Science & Diplomacy Building Bridges While Accelerating a Clean Energy Revolution by Dr.

Science & Diplomacy Building Bridges While Accelerating a Clean Energy Revolution by Dr.

Science & Diplomacy Building Bridges While Accelerating a Clean Energy Revolution by Dr. Robert C. Marlay Office of International Affairs U.S. Department of Energy Center for Science Diplomacy American Association for the Advancement of

288 views • 18 slides
Lithuania: news and changes Dr. Beata Vilimaite Silobritiene Environment Research Department,

Lithuania: news and changes Dr. Beata Vilimaite Silobritiene Environment Research Department,

Lithuanian Environmental Protection Agency Radiation protection of environment in Lithuania: news and changes Dr. Beata Vilimaite Silobritiene Environment Research Department, Radiology Division Juozas Molis Environment Status Assessment

337 views • 29 slides

More recommend