Securing rendezvous process in PURSUIT

Download Report

Transcript Securing rendezvous process in PURSUIT

Security: Packet Level Authentication and
Pub/Sub Security Solution
Dr. Dmitrij Lagutin
Helsinki Institute for Information Technology (HIIT)
4.10.2011
Contents
• Security goals in a clean slate publish/subscribe
network
• Packet Level Authentication (PLA)
• Securing rendezvous process in PURSUIT
• Conclusions
Security goals in a clean slate
publish/subscribe network
• We want to avoid problems of the original Internet,
security should be considered in every part of the
network design from the start
– Identifiers, rendezvous, forwarding, etc.
– Attacker can be anywhere in the network
• Basic security goals for the network
– Availability, unwanted traffic should be prevented on
all levels, as close to the source as possible
– Integrity
– Reasonable trade-off between privacy and
accountability
– Scalability
Security goals in a clean slate
publish/subscribe network
• Clean slate publish/subscribe approach makes security
somehow easier compared to IP
– Self-certifying identifiers
– Authenticity and integrity of the publication can be
independently verified
• Publish and subscribe operations instead of connections
– Receiver, instead of the sender, is in control
– No data should be transmitted without an explicit
subscription
Contents
• Security goals in a clean slate publish/subscribe
network
• Packet Level Authentication (PLA)
• Securing rendezvous process in PURSUIT
• Conclusions
Packet Level Authentication (PLA)
• Traditional end-to-end solutions such as IPSec and HIP
do not offer enough protection, they are not effective if
the network infrastructure is attacked and is unable to
deliver packets
• Capability-based solutions (SIFF, TVA, Fastpass)
establish a single protected path in the network
– Require state in routers
– Not effective if some packets take alternative paths
• There is a clear need for hop-by-hop security solution,
where security policies can be enforced at every hop in
the network
Packet Level Authentication (PLA)
• PLA is a novel method for providing availability on the
network layer
– Originally PLA was designed for IP networks,
however it can be used with any network layer
protocol
• Good analogy is a paper currency: authenticity of the
paper bill can be verified using built-in security
measures (watermark, hologram, etc..)
– Similarly, PLA allows any node to independently
verify authenticity and validity of any packet
Packet Level Authentication (PLA)
• Sender adds an own header to packets, containing
sender’s cryptographic identity, certificate from the
trusted third party, signature over the packet and other
fields
– Using this information, intermediate nodes can verify integrity
and authenticity of the traffic
– Is the packet original and unique?
– Has it been sent by an authorized sender?
• PLA header is added on top of the network layer (e.g.,
IP) header
– PLA is transparent to higher layer protocols and can
be used with other security solutions such as IPSec
and HIP
PLA: Header
• PLA offers two levels of protection
– Cryptographic signatures provide integrity protection
on the network layer
– Trust management system provides accountability,
and allows removal of malicious nodes from the
network
• All users in the network are authorized by trusted third
parties
PLA Header
PLA Header
• Signature by sender's private key together with a
sender's public key are used to check authenticity of the
packet
• Trusted third party (TTP) authorizes the sender through
the certificate
• Timestamp is used to detect delayed packets which may
be a sign of a replay attack
• Monotonically increasing sequence number is used to
detect duplicated packets
PLA: Trusted Third Parties
• Simply signing packets is not enough by itself
– Attacker may generate a large amount of identities
• Trusted Third Party (TTP) provides higher layer
protection
– Authorizes the user's public key, i.e., permission to
use the network
– Binds cryptographic identity with a real identity
– Allows more efficient trust management, no need to
trust in individual users, trusting in a TTP is enough
in most cases
– Various organizations (operator, company, country)
may have an own TTP
PLA: Trusted Third Parties
• TTP certificates use standard certificate format with
rights, validity time, and so on
• TTP certificate types
– Normal traffic certificate, short validity time (hours or
minutes)
– Priority certificate, for network management and
authorities
– Signalling certificate, limited rights, long validity time
(years)
– Self-signed certificate, used in the very beginning of
the bootstrapping phase
PLA: Cryptographic solutions and
performance
• PLA uses elliptic curve cryptography (ECC) due to its
compact keys
– 163-bit ECC key is as strong as 1024-bit RSA key
– The total size of the PLA header is about 1000 bits
• A dedicated hardware is necessary for verifying
signatures at wire speed
– FPGA based proof-of-concept accelerator can
perform 166,000 verifications per second
– Hardcopy based 90 nm ASIC can verify 850,000
packets/s, corresponding to 5 Gbps of average traffic
– Power consumption is only 26 μJ/verification (less
than the cost of wireless communication)
PLA: Cryptographic solutions and
performance
• Worldwide bandwidth consumption was 21,367 PB per
month in 2010
– If we assume: 4,650 bits per packet, 12 hops per route
– Then signing and verifying every packet at every hop in the
Internet using Hardcopy ASIC would consume about 4.5 MW of
power (output of a large wind turbine)
• 65 nm ASIC with some optimization produces
significantly better performance and power consumption
– 1.12 mm2 block running at 600 MHz, can perform 195,000
verifications with a power consumption of 500 mW => 2.56
μJ/verification
– Power consumption of cryptographic operations would drop to
450 kW for the whole Internet
PLA: Other applications
• Having strong per-packet signatures allows PLA to be
used for several other applications
• Sequence number can be used for secure per-packet
and per-bandwidth billing
• Securing higher level protocols such as MIH (media
independent handover) without excessive signalling
• Controlling incoming connections, no data connection
can be established without an explicit permission from
the receiver
• Good balance between a privacy and accountability
without extensive data retention by operators
PLA: Wireless authentication
• User authentication and roaming, especially useful in
wireless networks, for example:
– Network bootstrapping messages are protected by
PLA. Base stations would check if the user is
authorized by a trusted TTP (e.g. Aalto's TTP)
– Authentication is done at the bootstrapping phase.
Afterwards, a symmetric session key can be used to
secure further traffic.
• No manual intervention, such as entering passwords or
credit card information, is needed from users
• No signalling to the external authentication server is
necessary if the TTP is known by the base station
Contents
• Security goals in a clean slate publish/subscribe
network
• Packet Level Authentication (PLA)
• Securing rendezvous process in PURSUIT
• Conclusions
Securing the rendezvous process in
PURSUIT
• Main concepts revisited
– Publisher creates the publication, which is delivered
to the subscriber
– Data source serves the publication
– Scopes control how publications are disseminated
– Rendezvous system serves scopes, data sources
and subscribers
• Data source and publisher are often the same entity
• Self-certifying (P:L) identifiers for Rid and Sid
Securing the rendezvous process in
PURSUIT
Securing the rendezvous process in
PURSUIT
• Goal: protect the data source and rendezvous system
from unwanted traffic
• Rendezvous signalling messages are protected by PLA
• Standard certificates between various parties are used,
in the following example:
– CX denotes the certificate from the access network
the to the subscriber (permission to use the network
and a proof of a topological location)
– CY denotes a similar certificate given to the data
source
Securing the rendezvous process in
PURSUIT
Securing the rendezvous process in
PURSUIT
• 0. Scope and data source mutually authenticate each
other (to host publication <Sid:Rid>)
• 1. Publication is published by the data source
• 2. & 3. Subscriber receives data source's location with
all relevant certificates from the rendezvous system
• 4. Subscription request is sent towards the data source
with all relevant certificates
• 5. Publication is transmitted
Securing the rendezvous process in
PURSUIT
• Using certificates included in the subscription
messages, intermediate nodes can verify that:
– Subscriber and data source are valid entities in the
network
– Subscriber wants to receive the publication
– Data source has been authorized by the scope and is
willing to host the publication
– Optionally: subscriber has a right to request the
publication
• Invalid subscription requests are dropped before they
reach the data source
Securing the rendezvous process in
PURSUIT
• ECC allows inclusion of full keys in Rid/Sids
– Less bandwidth overhead
• Fully independent verification of rendezvous and
subscription messages
– Access control is also supported
• The network can easily limit the amount of allowed
rendezvous or subscription messages
– Protects the rendezvous system and data sources
• zFilters can be used to prevent DoS attacks on the
forwarding layer
Conclusions
• A good network layer security is necessary in addition to
the end-to-end security
• PLA is novel security solution for providing availability
on the network layer
– Allow independent verification of packets
– Suitable for different kinds of networks (IP,
PURSUIT, etc.)
• Main security components of PURSUIT
– Self-certifying identifiers
– Securing rendezvous process through certificates
and PLA
– Forwarding security through zFilters
References
• D. Lagutin. Securing the Internet with Digital Signatures, Doctoral
dissertation.
– http://lib.tkk.fi/Diss/2010/isbn9789526034652/
– Overview of the PLA
• D. Lagutin and S. Tarkoma. Cryptographic signatures on the network
layer - an alternative to the ISP data retention, ISCC 2010.
– http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5546745
– Using PLA to achieve balance between security and
accountability, removing the need for extensive data retention
• D. Lagutin, et al. Roles and security in a publish/subscribe network
architecture, ISCC 2010.
– http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=5546746
– Security solution for a clean-slate publish/subscribe network