Proxychain: Developing a Robust and Efficient Authentication - - PowerPoint PPT Presentation

proxychain developing a robust and efficient
SMART_READER_LITE
LIVE PREVIEW

Proxychain: Developing a Robust and Efficient Authentication - - PowerPoint PPT Presentation

Mar 31, 2024 259 likes •523 views

Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale VoIP Networks Italo Dacosta and Patrick Traynor Performance, Scalability and Security Finding the right balance between performance /scalability

slide-1
SLIDE 1

Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale VoIP Networks

Italo Dacosta and Patrick Traynor

slide-2
SLIDE 2

Georgia Tech Information Security Center

  • Finding the right balance between performance

/scalability and security is a well-known challenge

  • Robust but computationally expensive security

mechanisms are difficult to deploy in production environments

– S-BGP, DNSSEC

  • Weaker but more efficient security

mechanisms are generally broken and abused

– WEP, IKE Aggressive mode

Performance, Scalability and Security

2

slide-3
SLIDE 3

Georgia Tech Information Security Center

Another Example: SIP Authentication

  • Session Initiation Protocol (SIP)

– Establishes, manages and terminates sessions between two or more clients – Generally associated with VoIP

  • RFC 3261 recommends several security

mechanisms: Digest authentication, SSL/TLS, IPsec and S/MIME

  • However, Digest authentication is

typically the only one employed

– Weaker but more efficient

3

slide-4
SLIDE 4

Georgia Tech Information Security Center

SIP Digest Authentication

  • Challenge-response authentication

protocol

  • Based on cryptographic hash operations

(MD5)

  • De facto authentication mechanism in SIP

4

slide-5
SLIDE 5

Georgia Tech Information Security Center

SIP Dialogs with Digest Authentication

5

INVITE 407 Response [realm, n] INVITE [H(H(uid||realm||pwd)||n||H(method||URI) )] uid H(uid||realm||pwd) INVITE INVITE 407 Response [realm, n] INVITE [H(H(uid||realm||pwd)||n||H(method||URI))] uid H(uid||realm||pwd) INVITE

1 2

Request to DB always required

slide-6
SLIDE 6

Georgia Tech Information Security Center

Problems with Digest Authentication

  • Inefficient in scenarios with

a remote authentication service or database

– RTT added to each authentication

  • peration

– One request to the database per authenticated SIP message – High load in the database if it is shared by multiple SIP servers

  • Considered a weak authentication protocol

– E.g., No mutual authentication

6

slide-7
SLIDE 7

Georgia Tech Information Security Center

Our Scenario: A Nationwide VoIP Provider

7

P = SIP Proxies DB = Authentication database

slide-8
SLIDE 8

Georgia Tech Information Security Center 5000 10000 15000 20000 25000 5000 10000 15000 20000 25000 30000 35000 Measured Throughput (cps) Offered Load (cps) No Authentication Digest Authentication

The Problem: Digest Authentication Performance in Our Scenario

8

≈ 24,000 cps (no auth.) ≈ 1,160 cps (Digest auth.)

slide-9
SLIDE 9

Georgia Tech Information Security Center

Our Proposed Solution

  • Reduce the number of requests to the

database by caching temporary authentication credentials in the proxies

  • Use hash chains to build these

temporary credentials

– Take advantage of hash chains properties

  • Caching Digest auth. credentials

reduces security!

9

slide-10
SLIDE 10

Georgia Tech Information Security Center

Hash Chains Background

  • Sequence of one-time authentication tokens
  • Created by applying a cryptographic hash

function to a secret value r multiple times

10

Hn(r) = H(…H(H(r))…)

slide-11
SLIDE 11

Georgia Tech Information Security Center

Methodology

  • Design and implementation of new SIP

authentication protocol: Proxychain

  • Experimental evaluation

– Call throughput – Bandwidth utilization – CPU utilization

  • Results analysis

11

slide-12
SLIDE 12

Georgia Tech Information Security Center

Proxychain Design Goals

  • Efficiency

– Faster authentication operations

  • Scalability

– Support larger number of users and proxies

  • Security

– Provide more security guarantees

12

slide-13
SLIDE 13

Georgia Tech Information Security Center

Proxychain SIP Dialogs

13

INVITE [nAP] INVITE A, P Hl(tkA), l, nDA, nDP, tkP 407 Response [i, P, nDA, nDP, HMAC(tkP, nAP||i)] INVITE [A, B, i, HMAC(tkP, A||B||i), Hi-1(tkA)] INVITE INVITE [nAP] 407 Response [i-1, P, nDA, nDP, HMAC(tkP, nAP||i-1)] INVITE [A, B, i-1, HMAC(tkP, A||B||i-1), Hi-2(tkA)]

No request to DB is required

1 2

Secure Channel

slide-14
SLIDE 14

Georgia Tech Information Security Center

Proxychain implementation

  • Modifications to proxy, database

and client software

– Implemented in C language – Relatively small when compared to

  • riginal code base
  • Total credential size (MD5): 134 bytes

– Only ≈26 MB of proxy’s memory required for storing 200,000 users credentials

14

slide-15
SLIDE 15

Georgia Tech Information Security Center

Experimental Setup

  • Planetlab for obtaining real

RTT values

  • GT Emulab testbed for

database and proxies

– OpenSIPS for proxies – MySQL for the database

  • Nine high-capacity servers for generating

SIP call traffic

– SIPp as the SIP traffic generator

15

slide-16
SLIDE 16

Georgia Tech Information Security Center

Results: Call Throughput

5000 10000 15000 20000 25000 5000 10000 15000 20000 25000 30000 35000 Measured Throughput (cps) Offered Load (cps) No Authentication Digest Authentication Proxychain 16

≈ 24,000 cps (no auth.) ≈ 1,160 cps (Digest auth.)

≈ 19,700 cps (Proxychain)

slide-17
SLIDE 17

Georgia Tech Information Security Center

Results: Database CPU Utilization

17

  • 20

20 40 60 80 100 120 140 160 180 100 200 300 400 500 600 MySQL % CPU utilization Time (sec) Digest authentication. Proxychain

DB saturation (dual core machine)

slide-18
SLIDE 18

Georgia Tech Information Security Center

Results: Scalability

18 5000 10000 15000 20000 25000 3 4 5 6 Maximum usable throughput (cps) # of proxies Digest authentication. Proxychain

y = 3243.9x + 416.5 R2 = 0.998

slide-19
SLIDE 19

Georgia Tech Information Security Center

Results: INVITE and BYE Authentication

19 5000 10000 15000 20000 5000 10000 15000 20000 25000 30000 35000 Measured Throughput (cps) Offered Load (cps) Proxychain (INVITE) Proxychain (INVITE and BYE)

≈ 19,700 cps (INVITE) ≈ 12,000 cps (INVITE+BYE)

slide-20
SLIDE 20

Georgia Tech Information Security Center

Discussion: Performance and Scalability

  • Proxychain reduces the effects of network

latency, allowing higher call throughput

  • Lower load to the database allows more

scalability and lower HW requirement

20

slide-21
SLIDE 21

Georgia Tech Information Security Center

Discussion: Performance and Scalability

  • Hash chains allow constant storage space

– Dynamic reprovisioning (future work)

  • Key assumption: each proxy caches most of

its users’ credentials (>75%)

– Pre-fetching mechanism – Cache eviction policies (future work)

21

slide-22
SLIDE 22

Georgia Tech Information Security Center

Discussion: Security

  • Security improvements over Digest

authentication and hash chain protocols

– Efficient mutual authentication, additional security verifications

  • Protection against passive and active

attackers

– Stealing credentials from a proxy does not allow user impersonation (only affects mutual authentication)

22

slide-23
SLIDE 23

Georgia Tech Information Security Center

Conclusions

  • Proxychain simultaneously provides a robust,

scalable and efficient authentication mechanism for carrier-scale SIP providers without additional HW

  • Even non-carrier level infrastructures with

centralized authentication service can benefit from Proxychain

  • The key concepts behind Proxychain can be

applied to authentication protocols in other domains

23

slide-24
SLIDE 24

Georgia Tech Information Security Center

Questions?

Contact: idacosta@gatech.edu

24