1 / 29

Customized Network Security Protocols

Customized Network Security Protocols. Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan. 2009 - July 2009) Department of Computer Science and CERIAS Purdue University. Security Goals for Network Protocols. Confidentiality Authentication Integrity

noel
Download Presentation

Customized Network Security Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan. 2009 - July 2009) Department of Computer Science and CERIAS Purdue University

  2. Security Goals for Network Protocols • Confidentiality • Authentication • Integrity • Non-repudiation • Access control • Availability • Replay protection A network protocol defines rules: - Syntax (how) - Semantics (what) - Synchronization (when) SERC Fall 2009 Showcase

  3. Communication Patterns • Point-to-point • One-to-many • Many-to-one • Many-to-many • Reliable communication • Unreliable communication SERC Fall 2009 Showcase

  4. Menu of Secure Protocols • Authentication+integrity+confidentiality • IPSEC: IP routing layer • SSL/TLS: transport for reliable communication • DTLS: transport for unreliable communication • Kerberos: access control for network services SERC Fall 2009 Showcase

  5. The Problem • The available set of secure protocols and the services they provide do not match the security and performance requirements of various applications ``One solution fits all’’ is not good enough SERC Fall 2009 Showcase

  6. The Goals of This Project • Identify specific security goals for Double -Take Software protocols • Customize to meet performance and management requirements • Integrate the protocol with their product SERC Fall 2009 Showcase

  7. Customizable Features • Key management • Authentication + integrity • Authentication + integrity + confidentiality SERC Fall 2009 Showcase

  8. Overview of TLS • End-to-end secure channel, providing: confidentiality, integrity, authentication, replay protection • Defines how the characteristics of the channel are negotiated: key establishment, encryption cipher, authentication mechanism • Requires reliable end-to-end protocol, so it runs on top of TCP • Several popular open source implementations (www.openssl.org) SERC Fall 2009 Showcase

  9. TLS: Protocol Architecture Authentication, Confidentiality Integrity come as a package SERC Fall 2009 Showcase

  10. Our Approach • Leverage TLS to provide a wider menu choice of services and cryptographic algorithms: • Integrity only • Integrity + authentication • Integrity + authentication + confidentiality • Evaluation of cost of each service for all protocol choices SERC Fall 2009 Showcase

  11. Why OpenSSL • Long development history • Good performance • Allows immediate support of all cryptographic protocols supported by OpenSSL • For example: • Hash: MD5, SHA1, SHA256 • Digital signatures: RSA, DSA, ECC • Symmetric encryption: 3DES, Blowfish, RC4, AES SERC Fall 2009 Showcase

  12. Experimental Evaluation Platform • We implemented a new interface based on OpenSSL • Platform: Intel(R) Pentium(R) 4 CPU 3.4 GHz GenuineIntel GNU/Linux • Two computers in a 1Gbps LAN • Evaluate: • Throughput • Handshake latency SERC Fall 2009 Showcase

  13. Integrity-Only SERC Fall 2009 Showcase

  14. Confidentiality and Data Integrity:RC4 SERC Fall 2009 Showcase

  15. Confidentiality and Data Integrity: AES128 SERC Fall 2009 Showcase

  16. Confidentiality and Data Integrity:AES256 SERC Fall 2009 Showcase

  17. Confidentiality and Data Integrity: Blowfish SERC Fall 2009 Showcase

  18. Wide Area Network Experiments • Transfer data between hosts at Purdue University and Washington University • Purdue University: Intel(R) Pentium(R) 4 CPU 3.4 GHz GenuineIntel GNU/Linux • Washington University: Intel(R) Pentium(R) 4 CPU 3.2 GHz GenuineIntel GNU/Linux • Attempt to push as much data as possible over Internet • Evaluate: • Throughput • Handshake latency SERC Fall 2009 Showcase

  19. Integrity-Only (WAN) SERC Fall 2009 Showcase

  20. Confidentiality and Data Integrity:RC4 (WAN) SERC Fall 2009 Showcase

  21. Confidentiality and Data Integrity: AES128 (WAN) SERC Fall 2009 Showcase

  22. Confidentiality and Data Integrity:AES256 (WAN) SERC Fall 2009 Showcase

  23. Confidentiality and Data Integrity: Blowfish (WAN) SERC Fall 2009 Showcase

  24. Handshake Protocol SERC Fall 2009 Showcase

  25. Handshake Configurations • RSA (1024) • Key exchange and message signing are done with RSA • ECDH-ECDSA (161) • Key exchange is done with ECDH • Message signing is done with ECDSA • ADH (1024) • Key exchange is done with DH • No message signing is done • DH-DSA (1024) • Key exchange is done with DH • Message signing is done with DSA SERC Fall 2009 Showcase

  26. TLS Handshake SERC Fall 2009 Showcase

  27. TLS Handshake (WAN) SERC Fall 2009 Showcase

  28. Summary • Security comes at a cost: • Complexity • Communication cost • Computation cost • Trade-offs between performance, security goals, and manageability • Customized secure protocols • Leveraging existing protocols • Meet performance and management requirements SERC Fall 2009 Showcase

  29. We are looking forward to other practical projects where we can contribute our expertise in secure messaging systems (resilient to outsiders and insiders) • Replication systems • Unicast and multicast routing in wireless networks • Group communication systems • P2P streaming and multicast overlays SERC Fall 2009 Showcase

More Related