analysis and optimization of cryptographically generated
play

Analysis and Optimization of Cryptographically Generated Addresses - PowerPoint PPT Presentation

Feb 16, 2024 •1.78k likes •2.28k views

Introduction CGA for IPv6 CGA++ Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting Self-Certifying Address Generation and Verification Joppe Bos, Onur Ozen and Jean-Pierre Hubaux Ecole Polytechnique F

  1. Introduction CGA for IPv6 CGA++ Analysis and Optimization of Cryptographically Generated Addresses (CGA) Revisiting Self-Certifying Address Generation and Verification Joppe Bos, Onur ¨ Ozen and Jean-Pierre Hubaux Ecole Polytechnique F´ ed´ erale de Lausanne 1 / 41

  2. Introduction CGA for IPv6 CGA++ Outline 1 Introduction 2 CGA for IPv6 Outline Several Attacks Efficiency 3 CGA++ Design goals Prevent current attacks Address Generation Address Verification CGA-CGA++ Comparison 2 / 41

  3. Introduction CGA for IPv6 CGA++ Problem outline Problem: The need for the nodes to be able to generate their own address and verify the ones from others without relying on any global trusted authority. Solution: Using self-certifying addresses, which allows hosts and domains to prove they have the address they claim to have regardless of a trusted third party or a public-key infrastructure (PKI). An Example: Cryptographically Generated Addresses (CGA) for Internet Protocol version 6 (IPv6) addresses. 3 / 41

  4. Introduction CGA for IPv6 CGA++ Motivation The Impact CGA is used in Internet Protocol version 6 (IPv6) addresses. IPv6 is the next-generation Internet Protocol version designated as the successor to version 4, IPv4. CGA is used in Secure Neighbour Discovery Protocol for proof of adress ownership and dublicate address detection. What is missing? A more in-depth security/efficiency analysis of CGA. 4 / 41

  5. Introduction CGA for IPv6 CGA++ Our Contribution A detailed security/efficiency analysis of CGA Security: Introduction of a security framework for CGA-like protocols. Efficiency: Estimation of the cost of address generation/verification and possible attacks. Investigation of several attack scenarios A new and more secure protocol is designed: CGA++ . Resistant against certain type of attacks which are possible against CGA. Better authentication. Less efficient (more later). 5 / 41

  6. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA Basics: The notion of a self-certifying name The public-key itself: 6 / 41

  7. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA Basics: The notion of a self-certifying name Or, for convenience the hash of the public-key The public-key itself: 6 / 41

  8. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA for IPv6 Hash2 SHA−1 Proposed by Aura at ISC 2003. Zero Zero Modifier Public Key Collision Subnet Prefix Count Introduces the so-called “hash extensions” which SHA−1 trades efficiency for security. Appeared in an RFC 3972 in Hash1 2005. u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 7 / 41

  9. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency CGA for IPv6 Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count SHA−1 Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 8 / 41

  10. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count 1 Set modifier to a random 128-bit value. SHA−1 Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 9 / 41

  11. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . SHA−1 Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 10 / 41

  12. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 SHA−1 Zero Zero Modifier Public Key Collision Subnet Prefix Count 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . 3 Execute SHA-1 algorithm. The leftmost 112 bits SHA−1 of the result are Hash2 . Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 11 / 41

  13. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. Zero Zero Modifier Public Key Collision 2 Concatenate the modifier and the encoded PK . Subnet Prefix Count 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 SHA−1 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 12 / 41

  14. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. Zero Zero Modifier Public Key 2 Concatenate the modifier and the encoded PK . Collision Subnet Prefix Count 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 SHA−1 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. Hash1 u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 13 / 41

  15. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . Zero Zero Modifier Public Key 3 Execute SHA-1 algorithm. The leftmost 112 bits Collision Subnet Prefix Count of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step SHA−1 (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. Hash1 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. u,g Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 14 / 41

  16. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? SHA−1 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . 3 Execute SHA-1 algorithm. The leftmost 112 bits Zero Zero Modifier Public Key of the result are Hash2 . Collision Subnet Prefix Count 4 Compare the 16 × Sec leftmost bits of Hash2 with 0. If they are all zero, continue with Step (5). Otherwise, increment the modifier and go back to Step (2). SHA−1 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. Hash1 7 Execute SHA-1 . The leftmost 64 bits of the result u,g are Hash1 . Sec 59 bits (3 bits) (2 bits) Subnet Prefix (64 bits) Interface ID (64 bits) 15 / 41

  17. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? 1 Set modifier to a random 128-bit value. SHA−1 2 Concatenate the modifier and the encoded PK . 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . Zero Zero 4 Compare the 16 × Sec leftmost bits of Hash2 Modifier Public Key Collision with 0. If they are all zero, continue with Step Subnet Prefix Count (5). Otherwise, increment the modifier and go back to Step (2). 5 Set the collision count to zero. SHA−1 6 Concatenate the modifier, subnet prefix, collision count and encoded PK values. 7 Execute SHA-1 . The leftmost 64 bits of the result Hash1 are Hash1 . 8 Form an interface identifier by setting u , g in u,g Sec 59 bits (3 bits) (2 bits) Hash1 both to 1 and the three leftmost bits to Sec . Subnet Prefix (64 bits) Interface ID (64 bits) 16 / 41

  18. Introduction Outline CGA for IPv6 Several Attacks CGA++ Efficiency Address Generation Hash2 16*sec bits are ZERO ? 1 Set modifier to a random 128-bit value. 2 Concatenate the modifier and the encoded PK . SHA−1 3 Execute SHA-1 algorithm. The leftmost 112 bits of the result are Hash2 . 4 Compare the 16 × Sec leftmost bits of Hash2 Zero Zero with 0. If they are all zero, continue with Step Modifier Public Key (5). Otherwise, increment the modifier and go Collision Subnet Prefix Count back to Step (2). 5 Set the collision count to zero. 6 Concatenate the modifier, subnet prefix, collision SHA−1 count and encoded PK values. 7 Execute SHA-1 . The leftmost 64 bits of the result are Hash1 . Hash1 8 Form an interface identifier by setting u , g in Hash1 both to 1 and the three leftmost bits to u,g Sec 59 bits Sec . (3 bits) (2 bits) 9 Concatenate the subnet prefix and interface identifier to form a 128-bit IPv6 address. Subnet Prefix (64 bits) Interface ID (64 bits) 17 / 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cryptographically Generated IPv6 Addresses (CGA) Basic idea: Interface Id = hash (Public Key)

Cryptographically Generated IPv6 Addresses (CGA) Basic idea: Interface Id = hash (Public Key)

Cryptographically Generated IPv6 Addresses (CGA) Basic idea: Interface Id = hash (Public Key) The public key is used to authenticate messages sent from the CGA address. Proof of address ownership without security infrastructure. Prior

541 views • 6 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1

Dataflow Analysis Iterative Data-flow Analysis and Static-Single-Assignment cs5363 1 Optimization And Analysis Improving efficiency of generated code Correctness: optimized code must preserve meaning of the original program

467 views • 31 slides
Empirical Analysis of SLS Algorithms adapted and extended from slides for SLS:FA, Chapter 4

Empirical Analysis of SLS Algorithms adapted and extended from slides for SLS:FA, Chapter 4

HEURISTIC OPTIMIZATION Empirical Analysis of SLS Algorithms adapted and extended from slides for SLS:FA, Chapter 4 Analysis of SLS algorithms I How long does it take to find a feasible solution? I How good are the solutions generated by the

860 views • 54 slides
Empirical Analysis of SLS Algorithms adapted and extended from slides for SLS:FA, Chapter 4

Empirical Analysis of SLS Algorithms adapted and extended from slides for SLS:FA, Chapter 4

HEURISTIC OPTIMIZATION Empirical Analysis of SLS Algorithms adapted and extended from slides for SLS:FA, Chapter 4 Analysis of SLS algorithms I How long does it take to find a feasible solution? I How good are the solutions generated by the

535 views • 19 slides
Email Optimization: How A/B testing generated $500 million in donations Introduction Youve

Email Optimization: How A/B testing generated $500 million in donations Introduction Youve

Email Optimization: How A/B testing generated $500 million in donations Introduction Youve heard this story Fact check: TRUE The Ground Game 786 Obama field offices vs. 284 Romney offices In Ohio: Obama Romney Thousands

847 views • 46 slides
Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation

Interprocedural Analysis and Optimization Mod/Ref Analysis Alias Analysis Constant Propagation Procedure Inlining and Cloning cs6363 1 Introduction Interprocedural Analysis Gathering information about the whole program instead of a

496 views • 22 slides
1 Can the Computer do the retrosynthetic analysis for me? Computer-generated Retrosynthesis

1 Can the Computer do the retrosynthetic analysis for me? Computer-generated Retrosynthesis

Designing Organic Syntheses Syntheseplanung Starting material Target molecule 1 Can the Computer do the retrosynthetic analysis for me? Computer-generated Retrosynthesis Programme LHASA (http://lhasa.harvard.edu): E.J. Corey Based on known

976 views • 63 slides
4. Fitness landscape analysis for multi-objective optimization problems Fitness landscape

4. Fitness landscape analysis for multi-objective optimization problems Fitness landscape

Multiobjective Optimization Optimization algorithms Features in MO Prediction Set-based FL 4. Fitness landscape analysis for multi-objective optimization problems Fitness landscape analysis for understanding and designing local search

713 views • 58 slides
Analysis and Optimization of Analysis and Optimization of Thermal Issues in High Thermal Issues

Analysis and Optimization of Analysis and Optimization of Thermal Issues in High Thermal Issues

Analysis and Optimization of Analysis and Optimization of Thermal Issues in High Thermal Issues in High Performance VLSI Performance VLSI Kaustav Banerjee Stanford University Massoud Pedram and Amir H. Ajami University of Southern

841 views • 57 slides
Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic

Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic

Efficient and Cryptographically Secure Addition in the Ideal Class Groups of Hyperelliptic Curves Diploma thesis Andrey Bogdanov* Scientific advisors: Prof. Dr. Dr. h.c. Gerhard Frey Prof. Dr. Vladimir Anashin Russian State

397 views • 29 slides
Global Optimization Global constant propagation Liveness analysis 2 Local

Global Optimization Global constant propagation Liveness analysis 2 Local

Lecture Outline Global flow analysis Global Optimization Global constant propagation Liveness analysis 2 Local Optimization Global Optimization Recall the simple basic-block optimizations These optimizations can be extended

434 views • 14 slides
Constrained optimization DS-GA 1013 / MATH-GA 2824 Optimization-based Data Analysis

Constrained optimization DS-GA 1013 / MATH-GA 2824 Optimization-based Data Analysis

Constrained optimization DS-GA 1013 / MATH-GA 2824 Optimization-based Data Analysis http://www.cims.nyu.edu/~cfgranda/pages/OBDA_fall17/index.html Carlos Fernandez-Granda Compressed sensing Convex constrained problems Analyzing

1.58k views • 156 slides
Convex Analysis, Duality and Optimization Yao-Liang Yu yaoliang@cs.ualberta.ca Dept. of

Convex Analysis, Duality and Optimization Yao-Liang Yu yaoliang@cs.ualberta.ca Dept. of

Convex Analysis, Duality and Optimization Yao-Liang Yu yaoliang@cs.ualberta.ca Dept. of Computing Science University of Alberta March 7, 2010 Prelude Basic Convex Analysis Convex Optimization Fenchel Conjugate Minimax Theorem Lagrangian

887 views • 65 slides
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1 , I. Cervesato 2 , A. D. Jaggard 3 , A. Scedrov 4 , and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon University - Qatar, 3 Tulane

370 views • 18 slides
We know what you did at 9am Analysis Systems with Dynamic User Generated Content Christian

We know what you did at 9am Analysis Systems with Dynamic User Generated Content Christian

We know what you did at 9am Analysis Systems with Dynamic User Generated Content Christian Wallenta, Oxford Mohamed Ahmed, UCL Ian Brown, Oxford Stephen Hailes, UCL Felipe Huici, UCL Multi Service Networks 2008 10.07.2008 Motivation

583 views • 42 slides
Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept R.

Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept R.

UDT 2020 UDT Extended Abstract Presentation Lightweight influence mine sweeping system for the future Norwegian unmanned MMCM concept R. Fardal 1 and M. Nakjem 2 1 Principal scientist, FFI, Horten, Norway 2 Project manager, FFI, Horten, Norway

256 views • 4 slides
Beyond JVM Charles Oliver Nutter @headius Me + 2001: JRuby is Born 2006: JRuby on Rails

Beyond JVM Charles Oliver Nutter @headius Me + 2001: JRuby is Born 2006: JRuby on Rails

Beyond JVM Charles Oliver Nutter @headius Me + 2001: JRuby is Born 2006: JRuby on Rails 2015: JRuby 9000 $ git log --oneline | wc -l 29435 Why do this for 9 years? We like the JVM Magical black box that runs our code Except when it

1.05k views • 104 slides
Lean 4: State of the Sebastian Ullrich Ullrich - Lean 4: State of the A brief history of

Lean 4: State of the Sebastian Ullrich Ullrich - Lean 4: State of the A brief history of

1 2020/01/09 IPD Snelting KIT Programming paradigms group - IPD Snelting KIT The Research University in the Helmholtz Association www.kit.edu Lean 4: State of the Sebastian Ullrich Ullrich - Lean 4: State of the A brief history

318 views • 30 slides
Compiling with Continuations and LLVM Kavon Farvardin John Reppy University of Chicago

Compiling with Continuations and LLVM Kavon Farvardin John Reppy University of Chicago

Compiling with Continuations and LLVM Kavon Farvardin John Reppy University of Chicago September 22, 2016 Introduction LLVM Introduction to LLVM De facto backend for new language implementations Offers high quality code generation for

568 views • 22 slides
Teagasc National Farm Survey Preliminary Results 2017 Emma Dillon, Brian Moran, John Lennon

Teagasc National Farm Survey Preliminary Results 2017 Emma Dillon, Brian Moran, John Lennon

Teagasc National Farm Survey Preliminary Results 2017 Emma Dillon, Brian Moran, John Lennon & Trevor Donnellan Rural Economy Development Programme, Teagasc, Athenry, Co. Galway. Outline 1. Family Farm Income Definition 2. Overview of

372 views • 33 slides
National Voter R Registration Act: Public Assista Public Assista ance Agencies ance Agencies

National Voter R Registration Act: Public Assista Public Assista ance Agencies ance Agencies

National Voter R Registration Act: Public Assista Public Assista ance Agencies ance Agencies Jonathan Stein | Vot ting Rights Attorney jstein@ac cluca.org Why voter re Why voter re egistration? egistration? California ranks 45 th in its

513 views • 13 slides
FFI The good, the bad and the ugly Esteban Lorenzano (The Pharo firefighter) Current status of

FFI The good, the bad and the ugly Esteban Lorenzano (The Pharo firefighter) Current status of

FFI The good, the bad and the ugly Esteban Lorenzano (The Pharo firefighter) Current status of FFI: A mess :( Several options, none of them very clear. Three options: FFI, AlienFFI, NB-FFI FFI Basic types and not much more you can declare

295 views • 16 slides
Language-side Foreign Function Interfaces with NativeBoost IWST 2013 Camillo Bruni, Luc

Language-side Foreign Function Interfaces with NativeBoost IWST 2013 Camillo Bruni, Luc

Language-side Foreign Function Interfaces with NativeBoost IWST 2013 Camillo Bruni, Luc Fabresse, Stphane Ducasse, Igor Stasenko Outline 1. Context 2. Existing Solutions 3. NativeBoost 4. Speed Comparison of NativeBoost with other FFIs

580 views • 36 slides

More recommend