1 / 12

Security Mechanisms and Key Refresh for P2PSIP Overlays

draft-birkos-p2psip-security-key-refresh-00 Konstantinos Birkos University of Patras, Greece kmpirkos@ece.upatras.gr IETF 77, Anaheim, USA. Security Mechanisms and Key Refresh for P2PSIP Overlays. Outline. Security Challenges in P2PSIP Overlays Message Encryption Key Refresh Mechanism

Download Presentation

Security Mechanisms and Key Refresh for P2PSIP Overlays

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. draft-birkos-p2psip-security-key-refresh-00 Konstantinos Birkos University of Patras, Greece kmpirkos@ece.upatras.gr IETF 77, Anaheim, USA Security Mechanisms and Key Refresh for P2PSIP Overlays

  2. Outline • Security Challenges in P2PSIP Overlays • Message Encryption • Key Refresh Mechanism • Key Refresh supervised by super peers • Key Refresh handled by peers • Future directions

  3. Security Challenges in P2PSIP Overlays • Protect the structure of the overlay • Attacks can lead in partitioned/partially connected overlays • Protect overlay routing • Attackers can drop, delay or forward the requests to wrong destinations • Protect stored items in the DHT • Unauthorized access to resources can be used to reduce availability • Protect SIP signalling • Attackers can eavesdrop on the exchanged messages or alter their content

  4. Message Encryption • Certain RELOAD messages carry crucial information that could be exploited by attackers that could target at the structure of the P2PSIP overlay • A general principle: Peers should not by any means be able to obtain global knowledge of the logical topology-at least during the period they are members of the overlay

  5. Message Encryption (2)‏ • General Encryption Rules Define what security credentials should be used for the encryption of the bodies of certain message types

  6. Key Refresh Mechanism • Delivers fresh keying material to the participating peers • Serves two distinct purposes • Limits the vulnerability period in case an attacker retrieves a peer's private key • Limits the amount of time available for cryptanalysis • Peers periodically produce new PPK pairs and new certificates are created and signed in order to bind peers' new public keys with their identity

  7. Key Refresh Mechanism (2)‏ • Key Refresh supervised by Super Peers • Two levels of hierarchy Peers < Super Peers • Super peers are higher-level trusted peers that initiate the refresh process and sign certificates • A super peer periodically checks the certificates of the peers in its jurisdiction and sends a RefreshReq message to the owner of the certificate which is about to expire • The refreshed peer (RP) generates a new PPK pair and sends the new pair to the super peer via a RefreshAns message • The super peer signs the certificate, stores a copy of it in the DHT and sends another copy to RP • RP informs its neighbors about the refreshed credentials

  8. Key Refresh Mechanism (3)‏ • MSC of the refresh process supervised by super peers

  9. Key Refresh Mechanism (4)‏ • Key Refresh handled by peers • The new certificates are signed by the peers • Before RP's certificate is about to expire, RP • Generates a new PPK pair • Generates a certificate that binds its new public key to its ID and signs the certificate with its old private key • Stores the certificate in the DHT • Sends the certificate to its neighbors

  10. Key Refresh Mechanism (5)‏ • MSC of the refresh process handled by peers

  11. Future Directions • Establishment of secure TLS connections between peers with different keys than the shared secret key • IDS suitable for P2PSIP overlays

  12. University of Patras & TEI of Mesolonghi, Greece People: Konstantinos Birkos kmpirkos@ece.upatras.gr Christos Papageorgiou xpapageo@ceid.upatras.gr Panagiotis Galiotos pgaliot@upatras.gr Tasos Dagiuklas ntan@teimes.gr Christos Tselios tselios@ece.upatras.gr Stavros Kotsopoulos kotsop@ece.upatras.gr Thank You!

More Related