Enhancing Survivability of Security Services using Redundancy Presented by:Zijian Cao Joe Ondercin Based on a paper by Matti Hiltunen, Richard D. Schlichting, and Carlos A. Ugarte
Overview Traditional security services –Single method to guarantee security attributes –Single point of vulnerability Use redundancy to increase survivability –Implement using multiple methods –Implement in ways that can vary unpredictably
Requirements Appropriate techniques System support
Techniques Use multiple methods to enforce security attribute –If one method remains intact, attribute remains uncompromised Methods need to be independent –Use of same key by different methods can result in both being defeated
Example - Secure Messaging Encrypt messages with different methods –Use DES, then IDEA –Alternate the sequence of applying DES and IDEA for different messages –Apply different methods to different parts of message Both methods would have to be identified and broken to compromise data
System Support Simplifies redundancy based survivability techniques using the appropriate software customization framework. Automation of techniques
Example - SecComm SecComm –A highly configurable secure communicate service –Implemented using Cactus Cactus –A framework for software customization –Constructs configurable network protocols and services –Implements each service property as a separate software module (called a micro-protocol)
Security Properties Basic –Authenticity –Privacy –Integrity –Non-repudiation Attack Specific –Replay prevention –Known plain text attack prevention
Basic Security Micro-protocols (MPs) Individual methods that can be utilized Addresses security properties Allows different abstract service properties and their variants to be implemented as independent modules
Meta-security MP’s Applying multiple or alternating basic security micro-protocols Selected based on the desired properties Creates a complex protocol –Key feature to enabling redundancy for survivability
Examples of Meta-security MP’s MultiSecurity –Applies multiple basic security MP’s to a message in sequence AltSecurity –Applies one MP to each message, sequentially from a predetermined list RandomAltSecurity –Randomly chooses the method for each message
Trade-offs Performance Configuration constraints
Why is this important? Needs to be considered when designing architecture Can reduce the potential for compromise –Security through obscurity –Use of available technology
Questions