A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen.

Slides:

Advertisements

Similar presentations

Heuristic Search techniques

Advertisements

Secure Multiparty Computations on Bitcoin

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

LADIS workshop (Oct 11, 2009) A Case for the Accountable Cloud Andreas Haeberlen MPI-SWS.

Sign What You Really Care About - $ecure BGP AS Paths Efficiently Yang Xiang Zhiliang Wang Jianping Wu Xingang Shi Xia Yin Tsinghua University, Beijing.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Martin Suchara in collaboration with I. Avramopoulos and J. Rexford How Small Groups Can Secure Interdomain Routing.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

Digital Signatures and Hash Functions. Digital Signatures.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 11: Birthday Paradoxes.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Adapted from Oded Goldreich’s course lecture notes.

Practical and Configuration issues of BGP and Policy routing Cameron Harvey Simon Fraser University.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

Proactive Secure Mobile Digital Signatures Work in progress. Ivan Damgård and Gert Læssøe Mikkelsen University of Aarhus.

NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

1 A Cryptographic Approach to Safe Inter-domain Traffic Engineering Sridhar Machiraju SAHARA Retreat, Summer 2004.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

© 2006 Andreas Haeberlen, MPI-SWS 1 The Case for Byzantine Fault Detection Andreas Haeberlen MPI-SWS / Rice University Petr Kouznetsov MPI-SWS Peter Druschel.

DANSS Colloquium By Prof. Danny Dolev Presented by Rica Gonen

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Anonymous Communication Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

EECS 598 Fall ’01 Quantum Cryptography Presentation By George Mathew.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Computer Networks Layering and Routing Dina Katabi

Cong Wang1, Qian Wang1, Kui Ren1 and Wenjing Lou2

Towards a Logic for Wide- Area Internet Routing Nick Feamster Hari Balakrishnan.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Oblivious Signature-Based Envelope Ninghui Li, Stanford University Wenliang (Kevin) Du, Syracuse University Dan Boneh, Stanford University.

Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.

CS 3700 Networks and Distributed Systems Inter Domain Routing (It’s all about the Money) Revised 8/20/15.

NSDI (April 24, 2009) © 2009 Andreas Haeberlen, MPI-SWS 1 NetReview: Detecting when interdomain routing goes wrong Andreas Haeberlen MPI-SWS / Rice Ioannis.

How Secure are Secure Inter- Domain Routing Protocols? SIGCOMM 2010 Presenter: kcir.

Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.

Sign What You Really Care About -- Secure BGP AS Paths Efficiently Yang Xiang, Z. Wang, J. Wu, X. Shi, X. Yin Tsinghua University, Beijing AsiaFI 2011.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Privacy-preserving rule mining. Outline  A brief introduction to association rule mining  Privacy preserving rule mining Single party  Perturbation.

A. Haeberlen Fault Tolerance and the Five-Second Rule 1 HotOS XV (May 18, 2015) Ang Chen Hanjun Xiao Andreas Haeberlen Linh Thi Xuan Phan Department of.

SIGCOMM 2012 (August 16, 2012) Private and Verifiable Interdomain Routing Decisions Mingchen Zhao * Wenchao Zhou * Alexander Gurney * Andreas Haeberlen.

Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.

Efficient Secure BGP AS Path using FS-BGP Xia Yin, Yang Xiang, Zhiliang Wang, Jianping Wu Tsinghua University, Beijing 81th Quebec.

Lecture 5.1: Message Authentication Codes, and Key Distribution

Multi-Party Proofs and Computation Based in part on materials from Cornell class CS 4830.

Motivation: Finding the root cause of a symptom

Automated Network Repair with Meta Provenance

Key Management Network Systems Security Mort Anvari.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Topic 36: Zero-Knowledge Proofs

Problem: Internet diagnostics and forensics

Computer Communication & Networks

Topic 14: Random Oracle Model, Hashing Applications

COS 561: Advanced Computer Networks

COS 561: Advanced Computer Networks

COS 561: Advanced Computer Networks

BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)

Presentation transcript:

A. Haeberlen Having your Cake and Eating it too: Routing Security with Privacy Protections 1 HotNets-X (November 15, 2011) Alexander Gurney * Andreas Haeberlen * Wenchao Zhou * Micah Sherr + Boon Thau Loo * * University of Pennsylvania + Georgetown University

A. Haeberlen ? Motivation: Interdomain routing Alice's AS has a contract with Bob's AS Example: "Bob will always choose the shortest route to X" How can Alice be sure that Bob complies? If Bob had a shorter route available, how would Alice know? Bob could break his promise for various reasons 2 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot C F X D G H X E J H X I will always use the shortest route to X B C F X ? ? E X

A. Haeberlen C F X Goal #1: Security We would like to have security Goal: If Bob breaks his promise, Alice can detect and prove it S-BGP is not sufficient NetReview [NSDI'09] is, but requires revealing all routes 3 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot D G H X E X B C F X

A. Haeberlen C F X Goal #2: Privacy We would also like to have privacy ASes want to avoid revealing routes (other than the chosen route) Prior solutions choose either security or privacy Can we have both? 4 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot D G H X E X B C F X

A. Haeberlen Private and Verifiable Routing (PVR) Our goal is to find a protocol that can be run alongside BGP and guarantees the following: Detection: If an AS breaks a promise about its interdomain routing policies, at least one of its neighbors can detect this Evidence: If an AS breaks a promise, at least one of its direct neighbors can prove this Accuracy: If an AS does not break any promises, none of its neighbors can prove any violations Confidentiality: No AS can learn anything about its neighbors' routes that BGP does not already reveal Slightly more technical definition in the paper 5 HotNets-X (November 15, 2011)

A. Haeberlen Outline Motivation Definition of PVR Strawman solutions Two simple PVR protocols Discussion Summary 6 HotNets-X (November 15, 2011) NEXT

A. Haeberlen Strawman solutions Idea: Use Secure Multi-party Computation (SMC) or zero-knowledge proofs (ZKP) SMC securely computes a function over secret inputs Example: "Who in this room makes the most money?" Problem #1: Too expensive - even simple functions can take several seconds to evaluate! Problem #2: Too weak - no evidence! Similar problems with ZKP 7 HotNets-X (November 15, 2011)

A. Haeberlen Idea: Collaborative verification What helps us: We are not trying to compute the routes for Bob, as in SMC! Rather, we want to verify that Bob kept his promise Each domain already knows some aspect of the computation! Idea: Domains can work together! 8 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot

A. Haeberlen Example: Required export Let's start with a simple example Bob: "If I have at least one route to X, I will export one to Alice" What do we need to verify? Property #1: If Bob gives a route to Alice, that route is genuine Simply sign the route, as in S-BGP Property #2: If Bob does not give a route to Alice, then Bob did not receive any routes from Charlie, Doris, or Eliot 9 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot

A. Haeberlen How to commit to a value 10 HotNets-X (November 15, 2011) b  Bob (H(b||x)) But what is b? Does Doris know b? Same b as Doris! Random bits to prevent dictionary attack Bob Charlie Doris Aha, the b in the commitment is 1! OK, Bob committed to b! b, x

A. Haeberlen Example: Required export 1. C, D, and E give their routes to Bob 2. Bob sets b=1 if he has at least one route, otherwise b=0 3. Bob distributes the following information: To each neighbor: Commitment To Alice, and to each neighbor who has given Bob a route: value of b 4. The neighbors exchange commitments and then check: Neighbors: If I gave Bob a route, did I get the value of b, and is b=1? Alice: If I did not receive a route, is b=0? 11 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot If the promise holds, no AS learns anything it did not already know! If the promise does not hold, at least one AS can detect this! b 1 C F X E X No route exported (error) Commitment b=1 Commitment b=1 Commitment b=1

A. Haeberlen Second example: Shortest route A more complex example: Bob: "I will give Alice the shortest route I have" Need to verify: Property #1: Route exported  Route genuine Property #2: No routes exported  None available Property #3: Each imported route is at most as long as the exported route (minus one) 12 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot See previous example 3 hops 2 hops 4 hops 2+1=3 hops

A. Haeberlen Commitment with Merkle Hash Trees 13 HotNets-X (November 15, 2011) b1b1 b2b2 b3b3 b4b4 Hash b2b2 Hash tree with four values Proof that the second value is b 2 Reveals nothing about b 1, b 3, b 4 ! Path to the root

A. Haeberlen Second example: Shortest route 14 HotNets-X (November 15, 2011) Alice Bob Charlie Doris Eliot 3 hops 2 hops 5 hops 2+1=3 hops Bit k set to 1: "I have a route that is at most k hops long" Bit 3 is set! Bob acknowledges the 3-hop route! a) No bit below 2 is set; this is the shortest route! b) All bits above 2 are set; Bob didn't lie to the others! Merkle hash tree 0 If Bob picks the shortest route, no neighbor learns anything new! If Bob picks the wrong route, at least one neighbor can detect it!

A. Haeberlen From simple to complex So far: We can verify two very simple policies What about more complex BGP policies? Example: "I will give you a European route, unless my Asian route is shorter" Idea: Compose policies to form complex ones More details in the paper (e.g., about access control) 15 HotNets-X (November 15, 2011) Shortest route Shortest At least one

A. Haeberlen Ongoing work So far, this is only a proof of concept Need to support more complex policies What about communities? AS_PATH filtering? Etc. We already have additional results - please ask me! Need to handle protocol dynamics BGP routes are announced and withdrawn over time Need to have a formal proof of correctness Currently investigating model checking Need to build a practical system What is the overhead? Etc. 16 HotNets-X (November 15, 2011)

A. Haeberlen Summary PVR can verify whether an AS's interdomain routing policy has a certain property Example: "I will always choose the shortest route to X" PVR provides both security and privacy Neighbors can detect violations and generate evidence If an AS is correct, PVR reveals no additional information about its routes, other than what BGP already reveals Demonstrated two simple example protocols Can we support more complex promises? 17 HotNets-X (November 15, 2011) Questions?