1 / 18

Mohammed Alali | CS 69995 – Dr. Rothstein

Integrating Network Cryptography into the Operating System by Anthony Gabrielson Haim Levkowitz. Summer 2013. Mohammed Alali | CS 69995 – Dr. Rothstein. Content. Introduction Problems with the current implementation Third part libraries Proposed solution

sage
Download Presentation

Mohammed Alali | CS 69995 – Dr. Rothstein

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Integrating Network Cryptography into the Operating Systemby Anthony GabrielsonHaimLevkowitz Summer 2013 Mohammed Alali | CS 69995 – Dr. Rothstein

  2. Content • Introduction • Problems with the current implementation • Third part libraries • Proposed solution • Operating system integration • Network layer exploitation • TCP/UDP enhancement • More details. • Advantages • Disadvantages • Conclusion

  3. Introduction • Cryptography is essential in today’s network communications. • Most of OS’s today are “natively” lacking (development wise). • Currently deployed cryptography implementations are often not secure. • General-purpose network cryptography library is needed.

  4. The current approach • Third-party libraries: • SSL • Kerberos • PGP • Many others.

  5. The current approach: problems • Inflexibility: • Non-intuitive. • Difficult to use (Steep learning curve.) • Diverse implementation • Compatibility: • Servers and clients have to match • Security: • Many security flaws • Design flaws: “4 a.m. design decisions.”

  6. The current approach: problems • As a result, developers tend to • Incorrectly implement them, or • Avoid them. “In either case, security is compromised.”

  7. Proposed solution • The authors introduce and define: A new general-purpose network cryptography library that integrates directly with the Operating System. • They argue that the best place for cryptography to be implemented is at the Operating System level rather than the current application-layer approach.

  8. Proposed solution: OS Integration I • Currently developers must directly link their application to a cryptography library to enable secure communication.

  9. Proposed solution: OS Integration II • The proposed solution is the general-purpose network cryptography that integrates with the OS’s kernel .

  10. Proposed solution: Network stack exploitation I • Both transport and internet layers are utilized. • From the Internet Layer: • Host info found in IP header is utilized to lookup cryptography keys. • From host info, only “Destination Address”is need. • No changes needed toInternet Layer. TCP/UDP Port Info IP Host Info

  11. Proposed solution: Network stack exploitation II • From the Transport Layer: • Port info found in TCP header is utilized to lookup cryptography keys. • From Port info, only “Destination Port”is need. • So both “Destination Address + Destination Port” are needed for cryptography keys lookup. • Transport layer needs to be changed to natively support cryptography.

  12. Proposed solution: TCP/UDP Enhancements I • Transport Layer (TCP/UDP) needs to be evolved: • Appending cryptography in the TCP header. The new fields to be added (Taken from PGP header) :

  13. Proposed solution: TCP/UDP Enhancements II • TCP will also require an additional modification to streamline the key transfer process. • The three-way handshake TCP uses can be enhanced to also transmit cryptography primitives. Originator Destination

  14. Proposed solution: More details • The system described in this paper works with the Encryption Key System (EKS). • This system creates a chain of trust with a priori knowledge that is used to securely lookup keys. • The system leverages two distinct IDs to enable more security (DNS and EKS lookup). • This system also leverages a novel technique they called: “port-based sandboxing.” • enables the use of separate key pairs for individual services and users.

  15. Advantages • Shifts community focus. • More security • More flexibility. • Offers smaller number of implementationswhich means fewer potential issues. • Easier for developers to use w/ existing socket API • Port-aware library supporting existing protocols. • Always up-to-date – same way w/ network sockets. • Available out of the box.

  16. Disadvantages • Each host on the network requires a priori information, i.e., the EKS servers IP address and public key. • How to securely transfer the server’s public key? • Certain types of protocols, like components of email, will need to be updated. • Some applications would require small changes while other would require larger changes.

  17. Conclusion • A general-purpose cryptography library has been proposed. • It is the only way to resolve the security and flexibility problems currently being experienced on the Internet. • It provides a unified library that is easier to adopt by developers. • It complements the existing transmission protocols; it does not replace them.

  18. Thank you

More Related