Showing papers on "IPsec published in 1996"

Problem areas for the IP security protocols

Abstract: The Internet Engineering Task Force (IETF) is in the proces of adopting standards for IP-layer encryption and authentication (IPSEC). We describe a number of attacks against various versions of these protocols, including confidentiality failures and authentication failures. The implications of these attacks are troubling for the utility of this entire effort.

On the design of security protocols for mobile communications

Abstract: Use of mobile personal computers in open networked environment is revolutionalising the way we use computers. Mobile networked computing is raising important information security and privacy issues. This paper is concerned with the design of authentication protocols for a mobile computing environment. The paper first analyses the authentication initiator protocols proposed by Beller, Chang and Yacobi (BCY) and the modifications considered by Carlsen and points out some weaknesses. The paper then suggests improvements to these protocols. The paper proposes secure end-to-end protocols between mobile users using both symmetric and public key based systems. These protocols enable mutual authentication and establish a shared secret key between mobile users. Furthermore, these protocols provide a certain degree of anonymity of the communicating users to be achieved vis-a-vis other system users.

Classical versus Transparent IP Proxies

Abstract: Many modern IP security systems (also called "firewalls" in the trade) make use of proxy technology to achieve access control. This document explains "classical" and "transparent" proxy techniques and attempts to provide rules to help determine when each proxy system may be used without causing problems.

Parallelized network security protocols

Abstract: Security and privacy are growing concerns in the Internet community, due to the Internet's rapid growth and the desire to conduct business over it safely. This desire has led to the advent of several proposals for security standards, such as secure IP, secure HTTP, and the Secure Socket Layer. All of these standards propose using cryptographic protocols such as DES and RSA. Thus, the need to use encryption protocols is increasing. Shared-memory multiprocessors make attractive server platforms, for example as secure World-Wide Web servers. These machines are becoming more common, as shown by recent vendor introductions of platforms such as SGI's Challenge, Sun's SPARCCenter, and DEC's AlphaServer. The spread of these machines is due both to their relative ease of programming and their good price/performance. This paper is an experimental performance study that examines how encryption protocol performance can be improved by using parallelism. We show linear speedup for several different Internet-based cryptographic protocol stack running on a symmetric shared-memory multiprocessor using two different approaches to parallelism.

Secure Internet banking with Privacy Enhanced Mail—a protocol for reliable exchange of secured order forms

Abstract: The Protocol for Reliable Exchange of Secured Order Forms is a model for securing today's favourite Internet service for business, the World-Wide Web, and its capability for exchanging order forms. Based on the PEM Internet standards (RFC 1421–1424) the protocol includes integrity of communication contents and authenticity of its origin, which allows for non-repudiation services, as well as confidentiality. It is designed to be transparent to all lower communication layer protocols including HTTP and IP. We call it an end-user oriented and document based security protocol. In the following we describe our security protocol and show how it can be used in order to perform some significant banking applications in the Web. We will compare this protocol with the existing communication security protocols like S-HTTP, SSL, and IPv6. Our prototype implementation BaKo-2 is used in an example session to illustrate the application of our protocol in a “live” person-to-person communication over the Web.

Sleepy Network-Layer Authentication Service for IPSEC

Abstract: Network-layer authentication security services are typically pessimistic and static. A conservative IP security gateway checks/verifies the authentication information for every packet it forwards. This implies that, even there is no bad guy in the network, the authentication check is still performed for every packet. In this paper, we examine a sleepy approach, where the gateways normally do not authenticate or verify the packets unless security attacks are detected. We propose a security protocol, SSGP (Sleepy Security Gateway Protocol), residing on top of the IPSEC (Internet Security Protocol). One important feature of SSGP is the collaboration model between network and application layer security mechanisms.

Certificate Discovery Protocol

Abstract: Use of Public key cryptography is becoming widespread on the Internet in such applications as electronic mail and IP Security (IPSEC). Currently, however, a common public key certificate infrastructure does not exist which is interoperable with other systems and ubiquitous. In light of this, we describe a protocol which may be used to exchange or retrieve certificates (essentially signed public keys) with or from another entity. The protocol may be used to request certificates from a directory/name server or from the entity who owns the certificate. CONTENTS

A Security Architecture for Tenet Scheme 2

Abstract: The bandwith requirements of interactive multimedia applications are exhaustive, causing network congestion to be a major problem. One way to deal with this problem is to use a resource reservation scheme, such as e.g. Tenet Scheme 2. This paper proposes a security architecture for Tenet Scheme 2. The basic ideas are to use Internet layer security protocols, such as the IP Security Protocol (IPSP) and Internet Key Management Protocol (IKMP), to establish authentic communication channels between RCAP daemons, to handle client authentication and authorization locally, and to use a proxy-based mechanism to distribute access rights for target sets and channels. The security architecture uses as its building blocks a collision-resistant one-way hash function and a digital signature system.

Security for integrated IP-ATM/tactical-strategic networks

Abstract: Creation of "seamless" integrated strategic-tactical networks to provide global communication is a high priority for the DOD. The military services are currently expanding their tactical IP data networks into mobile environments, for example through TRI-TAC and MSE-based networks, and beyond via radio network extensions. Simultaneously, ATM networks, providing economical high-bandwidth-on-demand service, are being tested with great success. Military planners are already designing mixed IP and ATM network environments, both tactical and strategic. An urgent requirement, but still under development, is security for these integrated networks. GTE has just completed a proof-of-concept Tactical End-to-end Encryption Device (TEED) under contract from Army CECOM. TEED provides security for integrated tactical-strategic IP data networks. GTE has also completed Release-1 development of the NSA-contracted FASTLANE (KG-75) ATM encryptor. Recently, the Army and NSA formed a partnership to have a joint service tactical encryptor developed that would combine TEED IP security with lower speed FASTLANE-interoperable ATM encryption. The TACLANE (KG-175) will perform simultaneous IP and ATM security as needed by each connection it supports. It will operate full duplex at speeds up to 25 Mbps, while FASTLANE operates at speeds to 622 Mbps. With such devices the DOD will have the seamless security required for its tactical-strategic networks no matter how unpredictable the transition is from today's predominantly IP networks to tomorrow's predominant ATM. Users will be able to select security that meets their needs without fear of becoming trapped in what might have been IP or ATM security "stovepipes". This paper will summarize the capabilities that will be available in FASTLANE and TACLANE (members of NSA's MISSI security product family) and show how they can be used to secure the networks that military planners are considering today.