Security: Packet Level Authentication and Pub/Sub Security Solution Dr. Dmitrij Lagutin Helsinki Institute for Information Technology (HIIT)
Contents Security goals in a clean slate publish/subscribe network Packet Level Authentication (PLA) Securing rendezvous process in PURSUIT Conclusions
Security goals in a clean slate publish/subscribe network We want to avoid problems of the original Internet, security should be considered in every part of the network design from the start –Identifiers, rendezvous, forwarding, etc. –Attacker can be anywhere in the network Basic security goals for the network –Availability, unwanted traffic should be prevented on all levels, as close to the source as possible –Integrity –Reasonable trade-off between privacy and accountability –Scalability
Security goals in a clean slate publish/subscribe network Clean slate publish/subscribe approach makes security somehow easier compared to IP –Self-certifying identifiers –Authenticity and integrity of the publication can be independently verified Publish and subscribe operations instead of connections –Receiver, instead of the sender, is in control –No data should be transmitted without an explicit subscription
Contents Security goals in a clean slate publish/subscribe network Packet Level Authentication (PLA) Securing rendezvous process in PURSUIT Conclusions
Packet Level Authentication (PLA) Traditional end-to-end solutions such as IPSec and HIP do not offer enough protection, they are not effective if the network infrastructure is attacked and is unable to deliver packets Capability-based solutions (SIFF, TVA, Fastpass) establish a single protected path in the network –Require state in routers –Not effective if some packets take alternative paths There is a clear need for hop-by-hop security solution, where security policies can be enforced at every hop in the network
Packet Level Authentication (PLA) PLA is a novel method for providing availability on the network layer –Originally PLA was designed for IP networks, however it can be used with any network layer protocol Good analogy is a paper currency: authenticity of the paper bill can be verified using built-in security measures (watermark, hologram, etc..) –Similarly, PLA allows any node to independently verify authenticity and validity of any packet
Packet Level Authentication (PLA) Sender adds an own header to packets, containing sender’s cryptographic identity, certificate from the trusted third party, signature over the packet and other fields –Using this information, intermediate nodes can verify integrity and authenticity of the traffic –Is the packet original and unique? –Has it been sent by an authorized sender? PLA header is added on top of the network layer (e.g., IP) header –PLA is transparent to higher layer protocols and can be used with other security solutions such as IPSec and HIP
PLA: Header PLA offers two levels of protection –Cryptographic signatures provide integrity protection on the network layer –Trust management system provides accountability, and allows removal of malicious nodes from the network All users in the network are authorized by trusted third parties
PLA Header
Signature by sender's private key together with a sender's public key are used to check authenticity of the packet Trusted third party (TTP) authorizes the sender through the certificate Timestamp is used to detect delayed packets which may be a sign of a replay attack Monotonically increasing sequence number is used to detect duplicated packets
PLA: Trusted Third Parties Simply signing packets is not enough by itself –Attacker may generate a large amount of identities Trusted Third Party (TTP) provides higher layer protection –Authorizes the user's public key, i.e., permission to use the network –Binds cryptographic identity with a real identity –Allows more efficient trust management, no need to trust in individual users, trusting in a TTP is enough in most cases –Various organizations (operator, company, country) may have an own TTP
PLA: Trusted Third Parties TTP certificates use standard certificate format with rights, validity time, and so on TTP certificate types –Normal traffic certificate, short validity time (hours or minutes) –Priority certificate, for network management and authorities –Signalling certificate, limited rights, long validity time (years) –Self-signed certificate, used in the very beginning of the bootstrapping phase
PLA: Cryptographic solutions and performance PLA uses elliptic curve cryptography (ECC) due to its compact keys –163-bit ECC key is as strong as 1024-bit RSA key –The total size of the PLA header is about 1000 bits A dedicated hardware is necessary for verifying signatures at wire speed –FPGA based proof-of-concept accelerator can perform 166,000 verifications per second –Hardcopy based 90 nm ASIC can verify 850,000 packets/s, corresponding to 5 Gbps of average traffic –Power consumption is only 26 μJ/verification (less than the cost of wireless communication)
PLA: Cryptographic solutions and performance Worldwide bandwidth consumption was 21,367 PB per month in 2010 –If we assume: 4,650 bits per packet, 12 hops per route –Then signing and verifying every packet at every hop in the Internet using Hardcopy ASIC would consume about 4.5 MW of power (output of a large wind turbine) 65 nm ASIC with some optimization produces significantly better performance and power consumption –1.12 mm 2 block running at 600 MHz, can perform 195,000 verifications with a power consumption of 500 mW => 2.56 μJ/verification –Power consumption of cryptographic operations would drop to 450 kW for the whole Internet
PLA: Other applications Having strong per-packet signatures allows PLA to be used for several other applications Sequence number can be used for secure per-packet and per-bandwidth billing Securing higher level protocols such as MIH (media independent handover) without excessive signalling Controlling incoming connections, no data connection can be established without an explicit permission from the receiver Good balance between a privacy and accountability without extensive data retention by operators
PLA: Wireless authentication User authentication and roaming, especially useful in wireless networks, for example: –Network bootstrapping messages are protected by PLA. Base stations would check if the user is authorized by a trusted TTP (e.g. Aalto's TTP) –Authentication is done at the bootstrapping phase. Afterwards, a symmetric session key can be used to secure further traffic. No manual intervention, such as entering passwords or credit card information, is needed from users No signalling to the external authentication server is necessary if the TTP is known by the base station
Contents Security goals in a clean slate publish/subscribe network Packet Level Authentication (PLA) Securing rendezvous process in PURSUIT Conclusions
Securing the rendezvous process in PURSUIT Main concepts revisited –Publisher creates the publication, which is delivered to the subscriber –Data source serves the publication –Scopes control how publications are disseminated –Rendezvous system serves scopes, data sources and subscribers Data source and publisher are often the same entity Self-certifying (P:L) identifiers for Rid and Sid
Securing the rendezvous process in PURSUIT
Goal: protect the data source and rendezvous system from unwanted traffic Rendezvous signalling messages are protected by PLA Standard certificates between various parties are used, in the following example: –CX denotes the certificate from the access network the to the subscriber (permission to use the network and a proof of a topological location) –CY denotes a similar certificate given to the data source
Securing the rendezvous process in PURSUIT
0. Scope and data source mutually authenticate each other (to host publication ) 1. Publication is published by the data source 2. & 3. Subscriber receives data source's location with all relevant certificates from the rendezvous system 4. Subscription request is sent towards the data source with all relevant certificates 5. Publication is transmitted
Securing the rendezvous process in PURSUIT Using certificates included in the subscription messages, intermediate nodes can verify that: –Subscriber and data source are valid entities in the network –Subscriber wants to receive the publication –Data source has been authorized by the scope and is willing to host the publication –Optionally: subscriber has a right to request the publication Invalid subscription requests are dropped before they reach the data source
Securing the rendezvous process in PURSUIT ECC allows inclusion of full keys in Rid/Sids –Less bandwidth overhead Fully independent verification of rendezvous and subscription messages –Access control is also supported The network can easily limit the amount of allowed rendezvous or subscription messages –Protects the rendezvous system and data sources zFilters can be used to prevent DoS attacks on the forwarding layer
Conclusions A good network layer security is necessary in addition to the end-to-end security PLA is novel security solution for providing availability on the network layer –Allow independent verification of packets –Suitable for different kinds of networks (IP, PURSUIT, etc.) Main security components of PURSUIT –Self-certifying identifiers –Securing rendezvous process through certificates and PLA –Forwarding security through zFilters
References D. Lagutin. Securing the Internet with Digital Signatures, Doctoral dissertation. – –Overview of the PLA D. Lagutin and S. Tarkoma. Cryptographic signatures on the network layer - an alternative to the ISP data retention, ISCC – –Using PLA to achieve balance between security and accountability, removing the need for extensive data retention D. Lagutin, et al. Roles and security in a publish/subscribe network architecture, ISCC – –Security solution for a clean-slate publish/subscribe network