Securing Information Transmission by Redundancy Jun Li Peter Reiher Gerald Popek Computer Science Department UCLA NISS Conference October 21, 1999
Outline • Interruption threats are hard to counter • Redundant transmission makes interruptions harder • But redundant transmission is not as easy as using redundancy in other areas • Sample uses • Conclusion
Interruption Threats Destination Source An interruption attack occurs Result? No data flows to the destination
Problem • Many kinds of interruption threats • Corrupted routers drop packets • Transmitting over packets on shared media • Congesting links or routers • Conventional approaches won’t help • Encrypted/signed message can still be interrupted • Acknowledgement won’t help either • The acknowledgement itself is subject to interruption • Retransmission means possibly failing again • So?
receiver Using Redundancy To Counter Interruptions • Don’t use a single path • Any point on the single path is a point of failure • Use redundancy to secure transmission • Only parallel redundancy considered here • A node is expected to receive multiple copies of one message • Successful if at least one copy is authentically received • Redundancy has been widely used in other areas • High availability storage • Replicated execution • And many others
How does redundant deliver help? What if a router is corrupted? A Simple Example Source Normal delivery uses a default path The redundant copy gets through despite a bad router Destination
sender receiver But . . . • Redundant transmission is tough • Discovering disjoint paths is difficult • Routing is transparent to applications • Using disjoint paths is difficult • They may not exist at all • Can try to be as disjoint as possible nevertheless • An attacker has to find a choke point or break multiple points • Scale can also cause big problems • And what about costs of sending multiple copies?
Sample Uses of Redundancy • Revere • Secure delivery of security updates • General purpose redundant packet delivery service • Redundancy for every network user?
Revere • Goal: disseminate security updates to large number of machines • Assume a trusted dissemination center • Security updates • Small size but critical information • Examples: • New virus signature • New intrusion detection signature • CRL (certificate revocation lists) • Offending characteristics for a firewall to monitor
Revere Structure • Acks/Nacks inappropriate • Scaling, lack of complete trust, etc. • Use redundancy to send multiple copies to each node • Each node can also forward security updates to others • A node can contact multiple repository nodes for missed updates
General Redundant Packet Delivery Services • How could we add a redundant packet delivery service to the Internet? • What would be the best method of achieving redundancy? • Know a lot about the network? • Or rely on randomness and obscurity? • What are the costs of doing so? • How could it be easily deployable? • Proxy-based solutions?
Conclusion • Conventional security approaches and transmission primitives don’t adequately counter interruption threats • Redundancy is a promising tool • But effective use of redundancy is challenging • Are there other problems that redundancy can solve? • Does redundancy itself lead to new security threats?
Questions • Contact information • Peter Reiher: email@example.com • Jun Li: firstname.lastname@example.org • Gerald Popek: email@example.com