Russell Housley

Bio: Russell Housley is an academic researcher from Xerox. The author has contributed to research in topics: Message authentication code & CBC-MAC. The author has an hindex of 1, co-authored 1 publications receiving 5 citations.

Encapsulation Security Protocol Design for Local Area Networks

Abstract: Construction of a simple local area network encapsulation security protocol is discussed. The paper illustrates the way that the key distribution scheme, the confidentiality algorithm, and the integrity algorithm drive the protocol construction. A Needham/Schroeder based key distribution scheme, DES Cipher Block Chaining, and the Message Authentication Code are used as building blocks for a sample protocol. The sample protocol provides data origin authentication, confidentiality, and integrity.

A Survey of Ethernet LAN Security

Abstract: Ethernet is the survivor of the LAN wars. It is hard to find an IP packet that has not passed over an Ethernet segment. One important reason for this is Ethernet's simplicity and ease of configuration. However, Ethernet has always been known to be an insecure technology. Recent successful malware attacks and the move towards cloud computing in data centers demand that attention be paid to the security aspects of Ethernet. In this paper, we present known Ethernet related threats and discuss existing solutions from business, hacker, and academic communities. Major issues, like insecurities related to Address Resolution Protocol and to self-configurability, are discussed. The solutions fall roughly into three categories: accepting Ethernet's insecurity and circling it with firewalls; creating a logical separation between the switches and end hosts; and centralized cryptography based schemes. However, none of the above provides the perfect combination of simplicity and security befitting Ethernet.

Efficient protocols secure against guessing and replay attacks

Abstract: To establish secure network communications, a common practice requires that users authenticate one another and establish a temporary session key based on their passwords. Since users often use passwords that are easy to remember, attackers can correctly guess the passwords simply by searching through a relatively small space of "weak" passwords. In this paper, we present a new set of efficient protocols that can establish secure communications while protecting passwords from any feasible guessing and replay attacks. Our protocols avoid the use of timestamps altogether and minimize the use of nonces (random numbers). We examine some common attacks to existing protocols, and show how our protocols can be secure against such attacks. Our protocols apply to both secure peer-to-peer and multicast communications.

Implementation of a hybrid encryption scheme for Ethernet

Abstract: A software-based implementation of a hybrid encryption scheme for Ethernet LAN is given. It uses a DES-type symmetric key for information exchange between communicating users. In addition, a Diffie-Hellman method is adopted for key distribution which incorporates an RSA-type public key scheme for securing the exchange of the symmetric key components. To facilitate distribution of public keys and to guarantee authenticity, a separate network entity called security management facility (SMF) is deployed. A brief description of the software components for the proposed hybrid encryption scheme is given, and a Petri net representation of the software operation is provided. In addition, evaluation of the proposed scheme is carried out on a prototype network, and the numerical values for the encryption time and the message transfer time are obtained to illustrate the feasibility of the new scheme.

Interconnecting domains with heterogeneous key distribution and authentication protocols

Abstract: A number of mechanisms are described that can be used in the design of a protocol converter for authentication and key distribution protocols. First, the scope of the mechanisms is defined. The authors outline the class of authentication systems that were considered during the design of the mechanisms. A first mechanism, based on proxies and a synchronization protocol, allows for a transparent protocol conversion. It is generic, and can be tailored to different specific situations. The second mechanism addresses the problem of the state of the protocol converter. Both mechanisms can be used separately or in combination. When properly combined, they provide for a robust, transparent, and safe protocol converter for authentication and key distribution protocols. Example applications are described in some detail. >

Encrypted Data Transmission Model For Ethernet LANs

Abstract: Despite many research and development efforts in the field of data communication security, the security of the local area network (LAN's) is still not fully resolved. In this work, we proposed a model of encryption of the data field in the Ethernet frame to create secure Ethernet LANs. In this model, the data field in the Ethernet frame is encrypted and sent to the destination. The 1500-byte data field, defined as the standard for the Ethernet frame, is divided into 1497 bytes as the field used for the data. The remaining 2-bytes are defined as Message Body Length (MBL) and 1-byte as Message Number (MN). The message number is used to verify the encrypted data and the MBL is used for the length of the message. The proposed model provides secure data communication over Ethernet local area networks. With this model, safe data communication is provided on the Ethernet LAN. Even if attackers obtain the packet at the time of communication, the encrypted message is difficult to decipher.