scispace - formally typeset
Search or ask a question

Showing papers on "IPsec published in 2013"


Proceedings ArticleDOI
Kai Zhao1, Lina Ge1
14 Dec 2013
TL;DR: This paper expounds several security issues of IoT that exist in the three-layer system structure, and comes up with solutions to the issues above coupled with key technologies involved.
Abstract: The security issues of the Internet of Things (IoT) are directly related to the wide application of its system. Beginning with introducing the architecture and features of IoT security, this paper expounds several security issues of IoT that exist in the three-layer system structure, and comes up with solutions to the issues above coupled with key technologies involved. Among these safety measures concerned, the ones about perception layer are particularly elaborated, including key management and algorithm, security routing protocol, data fusion technology, as well as authentication and access control, etc.

604 citations


Proceedings ArticleDOI
19 May 2013
TL;DR: A verified reference implementation of TLS 1.2 is developed, including security specifications for its main components, such as authenticated stream encryption for the record layer and key establishment for the handshake, and typecheck the protocol state machine.
Abstract: TLS is possibly the most used protocol for secure communications, with a 18-year history of flaws and fixes, ranging from its protocol logic to its cryptographic design, and from the Internet standard to its diverse implementations. We develop a verified reference implementation of TLS 1.2. Our code fully supports its wire formats, ciphersuites, sessions and connections, re-handshakes and resumptions, alerts and errors, and data fragmentation, as prescribed in the RFCs; it interoperates with mainstream web browsers and servers. At the same time, our code is carefully structured to enable its modular, automated verification, from its main API down to computational assumptions on its cryptographic algorithms. Our implementation is written in F# and specified in F7. We present security specifications for its main components, such as authenticated stream encryption for the record layer and key establishment for the handshake. We describe their verification using the F7 typechecker. To this end, we equip each cryptographic primitive and construction of TLS with a new typed interface that captures its security properties, and we gradually replace concrete implementations with ideal functionalities. We finally typecheck the protocol state machine, and obtain precise security theorems for TLS, as it is implemented and deployed. We also revisit classic attacks and report a few new ones.

189 citations


Patent
26 Aug 2013
TL;DR: In this paper, a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT), is proposed, based on determining the transformations that occur on a packet and compensating for the transformations.
Abstract: This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

127 citations


Proceedings ArticleDOI
17 Apr 2013
TL;DR: This work proposes and compares two security architectures providing secure network access, key management and secure communication based on a new variant of the Host Identity Protocol based on pre-shared keys (PSK), while the second solution is based on the standard Datagram Transport Layer Security (DTLS).
Abstract: The IP-based Internet of Things (IoT) refers to the pervasive interaction of smart devices and people enabling new applications by means of new IP protocols such as 6LoWPAN and CoAP. Security is a must, and for that we need a secure architecture in which all device interactions are protected, from joining an IoT network to the secure management of keying materials. However, this is challenging because existing IP security protocols do not offer all required functionalities and typical Internet solutions do not lead to the best performance.We propose and compare two security architectures providing secure network access, key management and secure communication. The first solution relies on a new variant of the Host Identity Protocol (HIP) based on pre-shared keys (PSK), while the second solution is based on the standard Datagram Transport Layer Security (DTLS). Our evaluation shows that although the HIP solution performs better, the currently limited usage of HIP poses severe limitations. The DTLS architecture allows for easier interaction and interoperability with the Internet, but optimizations are needed due to its performance issues.

87 citations


22 May 2013
TL;DR: This work proposes an architecture supporting low-power end-to-end transport-layer secure communications with mutual authentication using ECC public-key cryptography for Internet-integrated sensing applications, providing full compatibility with current standardization proposals.
Abstract: The Internet of Things (IoT) describes a vision of a future Internet where constrained sensing and actuating devices are part of distributed applications and required to support standard Internet communications with more powerful devices or Internet hosts. This vision will require appropriate end-to-end communications and security mechanisms that are well suited to the constraints and characteristics of sensing devices and applications, while being able to support standard Internet communication mechanisms. With this motivation in mind, we propose an architecture supporting low-power end-to-end transport-layer secure communications with mutual authentication using ECC public-key cryptography for Internet-integrated sensing applications. The proposed architecture promotes the availability of critical resources on constrained sensing platforms and security against Internet-originated threats, while providing full compatibility with current standardization proposals. Those are fundamental enabling factors of most of the sensing applications envisioned for the IoT and, as far as we known, ours is the first architecture implemented and experimentally evaluated with such goals.

74 citations


Proceedings ArticleDOI
01 Nov 2013
TL;DR: The X.805 security standard is used to analyze the security aspects of the proposed Constrained Application Protocol (CoAP) and highlights the main security drawbacks and hence argues of the need for a new integrated security solution.
Abstract: The concept of Internet of Things involves huge number of constrained devices such as wireless sensors to communicate in a machine-to-machine pattern. Based on the implementation scenario, such communication might take place over a public network such as the Internet, which is based on the TCP/IP stack. However, different research working groups argue that some of these stack protocols such as the Hyper Text Transfer Protocol (HTTP) might not be suitable for constrained devices. Therefore, the IETF Constrained RESTful Environments (CoRE) WG has proposed the Constrained Application Protocol (CoAP); an application layer protocol for constrained devices in the IoTs. The CoRE WG proposed using IPSec or DTLS to secure the CoAP communication at different levels of the protocol stack. However, to investigate the feasibility of such a proposal, we use the X.805 security standard to analyze the security aspects of such implementation. The analysis highlights the main security drawbacks and hence argues of the need for a new integrated security solution.

71 citations


Proceedings ArticleDOI
01 Oct 2013
TL;DR: This paper identifies several performance and security issues that originate from public-key-based operations on resource-constrained IoT devices, and presents three complementary, lightweight protocol extensions for HIP DEX, a comprehensive session resumption mechanism, a collaborative puzzle-based DoS protection mechanism, and a refined retransmission mechanism.
Abstract: Recent standardization efforts focus on a number of lightweight IP security protocol variants for end-to-end security in the Internet of Things (IoT), most notably DTLS, HIP DEX, and minimal IKEv2. These protocol variants commonly consider public-key-based cryptographic primitives in their protocol design for peer authentication and key agreement. In this paper, we identify several performance and security issues that originate from these public-key-based operations on resource-constrained IoT devices. To illustrate their impact, we additionally quantify these protocol limitations for HIP DEX. Most importantly, we find that public-key-based operations significantly hamper a peer's availability and response time during the protocol handshake. Hence, IP security protocols in the IoT must be tailored to reduce the need for expensive cryptographic operations, to protect resource-constrained peers against DoS attacks targeting these cryptographic operations, and to account for high message processing times. To this end, we present three complementary, lightweight protocol extensions for HIP DEX: i) a comprehensive session resumption mechanism, ii) a collaborative puzzle-based DoS protection mechanism, and iii) a refined retransmission mechanism. Our focus on common protocol functionality allows to generalize our proposed extensions to the wider scope of DTLS and IKE. Finally, our evaluation confirms the considerable achieved improvements at modest trade-offs.

69 citations


Journal ArticleDOI
TL;DR: The proposed protocol achieves key confidentiality due to security of Shamir's secret sharing and provides key authentication by broadcasting a single authentication message to all members.
Abstract: To achieve secure group communication, one-time session keys need to be shared among group members in a secure and authenticated manner. In this paper, we propose an improved authenticated key transfer protocol based on Shamir's secret sharing. The proposed protocol achieves key confidentiality due to security of Shamir's secret sharing and provides key authentication by broadcasting a single authentication message to all members. Furthermore, the proposed scheme resists against both insider and outsider attacks.

45 citations


Proceedings ArticleDOI
04 Nov 2013
TL;DR: This work introduces PCTCP, a novel anonymous communication transport design for overlay networks that addresses the shortcomings of the previous proposals and ascertained that significant performance benefits can be obtained using the approach for web clients, while maintaining the same level of anonymity provided by the network today.
Abstract: Recently, there have been several research efforts to design a transport layer that meets the security requirements of anonymous communications while maximizing the network performance experienced by users. In this work, we argue that existing proposals suffer from several performance and deployment issues and we introduce PCTCP, a novel anonymous communication transport design for overlay networks that addresses the shortcomings of the previous proposals. In PCTCP, every overlay path, or circuit, is assigned a separate kernel-level TCP connection that is protected by IPsec, the standard security layer for IP.To evaluate our work, we focus on the Tor network, the most popular low-latency anonymity network, which is notorious for its performance problems that can potentially deter its wider adoption and thereby impact its anonymity. Previous research showed that the current transport layer design of Tor, in which several circuits are multiplexed in a single TCP connection between any pair of routers, is a key contributor to Tor's performance issues.We implemented, experimentally evaluated, and confirmed the potential gains provided by PCTCP in an isolated testbed and on the live Tor network. We ascertained that significant performance benefits can be obtained using our approach for web clients, while maintaining the same level of anonymity provided by the network today. Our realistic large-scale experimental evaluation of PCTCP shows improvements of more than 60% for response times and approximately 30% for download times compared to Tor. Finally, PCTCP only requires minimal changes to Tor and is easily deployable, as it does not require all routers on a circuit to upgrade.

44 citations


Journal Article
TL;DR: The experimental evaluation of the different solutions shows that the resource- constrained devices in the IoT can be secured with IPsec, DTLS, and 802.15.4 security; can be efficiently protected against intrusions; and the proposed combined secure storage and communication mechanisms can significantly reduce the security-related operations and energy consumption.
Abstract: The future Internet will be an IPv6 network interconnecting traditional computers and a large number of smart objects or networks such as Wireless Sensor Networks (WSNs). This Internet of Things (IoT) will be the foundation of many services and our daily life will depend on its availability and reliable operations. Therefore, among many other issues, the challenge of implementing secure communication in the IoT must be addressed. The traditional Internet has established and tested ways of securing networks. The IoT is a hybrid network of the Internet and resource-constrained networks, and it is therefore reasonable to explore the options of using security mechanisms standardized for the Internet in the IoT. The IoT requires multi-faceted security solutions where the communication is secured with confidentiality, integrity, and authentication services; the network is protected against intrusions and disruptions; and the data inside a sensor node is stored in an encrypted form. Using standardized mechanisms, communication in the IoT can be secured at different layers: at the link layer with IEEE 802.15.4 security, at the network layer with IP security (IPsec), and at the transport layer with Datagram Transport Layer Security (DTLS). Even when the IoT is secured with encryption and authentication, sensor nodes are ex- posed to wireless attacks both from inside the WSN and from the Internet. Hence an Intrusion Detection System (IDS) and firewalls are needed. Since the nodes inside WSNs can be captured and cloned, protection of stored data is also important. This thesis has three main contributions. (i) It enables secure communication in the IoT using lightweight compressed yet standard compliant IPsec, DTLS, and IEEE 802.15.4 link layer security; and it discusses the pros and cons of each of these solutions. The proposed security solutions are implemented and evaluated in an IoT setup on real hardware. (ii) This thesis also presents the design, implementation, and evaluation of a novel IDS for the IoT. (iii) Last but not least, it also provides mechanisms to protect data inside constrained nodes. The experimental evaluation of the different solutions shows that the resource- constrained devices in the IoT can be secured with IPsec, DTLS, and 802.15.4 security; can be efficiently protected against intrusions; and the proposed combined secure storage and communication mechanisms can significantly reduce the security-related operations and energy consumption.

40 citations


Journal ArticleDOI
TL;DR: The Internet of Things is currently the most popular field of communication and information research directions, and how to ensure the transmission efficiency of business information under the premise of improving networking applications data security to protect the user's privacy data will be particularly important.
Abstract: The Internet of Things is currently the most popular field of communication and information research directions. Their application in the amount of information involved, are extremely large amount of data. How to ensure the transmission efficiency of business information under the premise of improving networking applications data security to protect the user's privacy data will be particularly important. Paper uses a custom data packet encapsulation mechanism, reducing the overhead of data resources; another based on their cross-platform communication features, combined with secure encryption and decryption, signature and authentication algorithm, the establishment of a secure communication system of things model for the differentiation of things communications environment, providing a standard packet structure, namely smart business security IOT application Protocol intelligent Service Security Application Protocol (ISSAP).

Proceedings ArticleDOI
01 Nov 2013
TL;DR: The benefits of OFHIP compared to present use of SSL in enabling mobility, reducing the connection latency and improving the resilience to known TCP-level attacks are demonstrated.
Abstract: Software Defined Networking (SDN) and its one possible realization, OpenFlow, define the trends of future networks However, the present OpenFlow architecture does not allow the switches to be mobile eg, in a moving train as it would disrupt flow processing from network switches We present OFHIP, an architecture that enables OpenFlow switches to change their IP addresses securely during mobility OFHIP employs IPSec encapsulated security payload (ESP) in transport mode for protection against DoS, data origin authenticity, connectionless integrity, anti-replay protection, and limited traffic flow confidentiality We demonstrate the benefits of OFHIP compared to present use of SSL in enabling mobility, reducing the connection latency and improving the resilience to known TCP-level attacks

Patent
23 Apr 2013
TL;DR: In this article, the authors describe the system, methods and apparatuses of establishing an IPsec (Internet Protocol Security) VPN (Virtual Private Network) tunnel, which includes a user configuration, determining an internal interface of the wireless mesh network access node based on the type of traffic, dynamically determining a local endpoint address for the IPsec VPN tunnel based on a selected internal interface.
Abstract: Systems, methods and apparatuses of establishing an IPsec (Internet Protocol Security) VPN (Virtual Private Network) tunnel are disclosed. One method includes receiving, by a wireless mesh network access point, a user configuration, wherein the user configuration includes a type of traffic, determining an internal interface of the wireless mesh network access node based on the type of traffic, dynamically determining a local endpoint address for the IPsec VPN tunnel based on the selected internal interface, and establishing the IPsec VPN tunnel through the selected internal interface of the wireless mesh network access node.

Journal ArticleDOI
TL;DR: This manuscript will present a complete EAP method that utilizes stored secrets and passwords to verify users so that it can fully meet the requirements of RFC 4017, provide for lightweight computation, and allow for forward secrecy.
Abstract: It is necessary to authenticate users who attempt to access resources in Wireless Local Area Networks (WLANs). Extensible Authentication Protocol (EAP) is an authentication framework widely used in WLANs. Authentication mechanisms built on EAP are called EAP methods. The requirements for EAP methods in WLAN authentication have been defined in RFC 4017. To achieve user efficiency and robust security, lightweight computation and forward secrecy, excluded in RFC 4017, are desired in WLAN authentication. However, all EAP methods and authentication protocols designed for WLANs so far do not satisfy all of the above properties. This manuscript will present a complete EAP method that utilizes stored secrets and passwords to verify users so that it can 1) fully meet the requirements of RFC 4017, 2) provide for lightweight computation, and 3) allow for forward secrecy. In addition, we also demonstrate the security of our proposed EAP method with formal proofs.

Proceedings ArticleDOI
21 Nov 2013
TL;DR: A performance comparison between two of the most widely used security protocols: IPSec and DTLS is presented and the analysis of their impact on the resources of embedded devices is provided.
Abstract: Wireless Sensor Networks are destined to play a fundamental role in the next-generation Internet, which will be characterized by the Machine-to-Machine paradigm, according to which, embedded devices will actively exchange information, thus enabling the development of innovative applications. It will contribute to assert the concept of Internet of Things, where end-to-end security represents a key issue. In such context, it is very important to understand which protocols are able to provide the right level of security without burdening the limited resources of constrained networks. This paper presents a performance comparison between two of the most widely used security protocols: IPSec and DTLS. We provide the analysis of their impact on the resources of embedded devices. For this purpose, we have modified existing implementations of both protocols to make them properly run on our hardware platforms, and we have performed an extensive experimental evaluation study. The achieved results are not a consequence of a classical simulation campaign, but they have been obtained in a real scenario that uses software and hardware typical of the current technological developments. Therefore, they can help network designers to identify the most appropriate secure mechanism for end-to-end IP communications involving constrained devices.

Patent
01 May 2013
TL;DR: In this paper, the authors propose to use a VPN tunnel with the gateway, wherein the VPN tunnel is not used by other apps running on the device. But, the authors do not use the device-level or system VPN to connect with the VPN gateway.
Abstract: An Internet-enabled device, such as a smartphone, tablet, PC, wearable sensor, or household appliance, executes an application (or “app”) has its own VPN connection with a VPN gateway device. The app does not use the device-level or system VPN to connect with the gateway. The app, which may be security wrapped, is made more secure by having its own VPN tunnel with the gateway, wherein the VPN tunnel is not used by other apps running on the device. The conventional (or device-level) VPN connection is not used by the app(s). The app has its own IP stack, an HTTP proxy layer, an IPsec module, and a virtual data link layer which it uses to build IP packets, encapsulate them, and transmit them to a transport module in the device operating system, for example, a UDP module.

Patent
Uri Elzur1
08 Apr 2013
TL;DR: In this article, a node in a network may be authenticated as a trusted third party and that trusted thirdparty may be enabled to acquire security information shared between or among a plurality of network entities.
Abstract: Aspects of a method and system for traffic engineering in an IPSec secured network are provided. In this regard, a node in a network may be authenticated as a trusted third party and that trusted third party may be enabled to acquire security information shared between or among a plurality of network entities. In this manner, the trusted third party may parse, access and operate on IPSec encrypted traffic communicated between or among the plurality of network entities. Shared security information may comprise one or more session keys utilized for encrypting and/or decrypting the IPSec secured traffic. The node may parse IPSec traffic and identify a flow associated with the IPsec traffic. In this manner, the node may generate and/or communicate statistics pertaining to said IPSec secured traffic based on the flow with which the traffic is associated.

Proceedings ArticleDOI
04 Sep 2013
TL;DR: An identity authentication scheme based on elliptic curve algorithm for public and private key pair is proposed in order to meet the security requirements of the Internet of Things in heterogeneous networking environments and proves to be both safe and effective.
Abstract: Considering the differences between the Internet and the Internet of Things in security problems, we propose an identity authentication scheme based on elliptic curve algorithm for public and private key pair in order to meet the security requirements of the Internet of Things in heterogeneous networking environments. After being simulated with OPNET, the plan proves to be both safe and effective.

Proceedings ArticleDOI
24 Jun 2013
TL;DR: This paper presents a framework that allows us to combine secure storage and secure communication in the IP-based IoT, and shows how data can be stored securely such that it can be delivered securely upon request without further cryptographic processing.
Abstract: The future Internet of Things (IoT) may be based on the existing and established Internet Protocol (IP). Many IoT application scenarios will handle sensitive data. However, as security requirements for storage and communication are addressed separately, work such as key management or cryp-tographic processing is duplicated. In this paper we present a framework that allows us to combine secure storage and secure communication in the IP-based IoT. We show how data can be stored securely such that it can be delivered securely upon request without further cryptographic processing. Our prototype implementation shows that combined secure storage and communication can reduce the security-related processing on nodes by up to 71% and energy consumption by up to 32.1%.

Posted Content
TL;DR: In this article, the authors present off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses, such as the same origin policy, and allow a wide range of exploits, e.g., longterm caching of malicious objects and scripts.
Abstract: Everyone is concerned about the Internet security, yet most traffic is not cryptographically protected. The usual justification is that most attackers are only off-path and cannot intercept traffic; hence, challenge-response mechanisms suffice to ensure authenticity. Usually, the challenges re-use existing `unpredictable' header fields to protect widely-deployed protocols such as TCP and DNS. We argue that this practice may often only give an illusion of security. We present recent off-path TCP injection and DNS poisoning attacks, enabling attackers to circumvent existing challenge-response defenses. Both TCP and DNS attacks are non-trivial, yet very efficient and practical. The attacks foil widely deployed security mechanisms, such as the Same Origin Policy, and allow a wide range of exploits, e.g., long-term caching of malicious objects and scripts. We hope that this article will motivate adoption of cryptographic mechanisms such as SSL/TLS, IPsec and DNSSEC, and of correct, secure challenge-response mechanisms.

Journal ArticleDOI
TL;DR: This paper improves the performance of Tree-based protocol with the property of Toeplitz matrix and finds that the Tree-LSHB+ protocol is still a good choice for RFID authentication.
Abstract: In this paper, we propose an enhancement of the Tree-based authentication protocol, named as the Tree-LSHB+ protocol. The protocol is a lightweight authentication protocol that is suitable for use in radio frequency identification (RFID) systems. Compared with the Tree-based HB authentication protocol, our protocol provides mutual authentication in authentication stage. The authentication keys stored in the reader and the tag are also updated when the mutual authentication succeeds. It means that two drawbacks can be avoided in the Tree-based authentication protocol, one is that only the reader authenticates the tag and the other is that the secret keys stored in the tags remain unchanged all the time. We also improve the performance of Tree-based protocol with the property of Toeplitz matrix and find that the Tree-LSHB+ protocol is still a good choice for RFID authentication.

Journal ArticleDOI
TL;DR: A new union authentication protocol of cross-domain that can ensure the security of resource access in different domains, where the register keys of members in one domain are submitted to the key authentication center, rather than the private keys.
Abstract: With the development of network service technology such as grid computing, cloud computing, the cooperation among multiply domains is needed for these intelligent services that have the unlimited space and the unlimited speed. This paper proposes a new union authentication protocol of cross-domain that can ensure the security of resource access in different domains, where the register keys of members in one domain are submitted to the key authentication center, rather than the private keys. This authentication protocol can avoid the shortcoming that it is complex to deliver certification in the traditional cross-domain authentication based on PKI and prevent the authority counter from pretending to be a member to access resources in other domains in the current identity-based authentication. The performance analysis shows that the proposed authentication protocol has good anonymity and can track the entities when there are the inconsistent cases. At last, a prototype system that can implement the authentication protocol is given.

Journal ArticleDOI
TL;DR: The main contribution is the proof that these special pseudo-Mersenne primes, which are denominated ‘shifting primes’ can be used for ECC primitives with 160-bit keys in a highly optimal way.

Journal ArticleDOI
TL;DR: Experimental results show that theWiSDC can effectively protect transmitted messages for wireless environments and analytical results indicate that the WiSDC has higher security level and execution efficiency than those of the SSL and IPsec.

Patent
05 Jun 2013
TL;DR: In this article, an Internet protocol security (IPSEC) tunnel data transmission method and an IP-layer data transmission device are presented. But the authors focus on the communication field data transmission.
Abstract: The invention relates to the communication field data transmission, in particular to an Internet protocol security (IPSEC) tunnel data transmission method and an IPSEC tunnel data transmission device. The invention provides the IPSEC tunnel data transmission method and the IPSEC tunnel data transmission device. Due to the fact that IP messages of the same kind are combined and compressed through a coprocessor and the like, an IPSEC tunnel model data are packaged to send by an outer network card. Due to the fact that after fragmentation IP message data are rebuilt, the coprocessor is uncompressed and the like, the rebuilt IP message data are divided into each different original IP message and sent through an inner network card, and a data transmission performance of an IPSEC tunnel can be largely improved. Data processing is carried out through the networks, a network data receiver and a network data sending device. The IPSEC tunnel data transmission method and the IPSEC tunnel data transmission device are mainly used in the field of the IPSEC tunnel data transmission.

Patent
28 Mar 2013
TL;DR: In this article, the first plurality of sub-flows are transmitted using a first Internet Protocol Security (IPsec) security association (SA) cluster comprising a plurality of parallel sub-SAs.
Abstract: A network element (NE) comprising a memory device configured to store instructions, and a processor configured to execute the instructions by dividing a first plurality of data packets of a data flow into a first plurality of sub-flows, and causing the first plurality of sub-flows to be transmitted to a second NE via a network, wherein the first plurality of sub-flows are transmitted using a first Internet Protocol Security (IPsec) security association (SA) cluster comprising a plurality of parallel sub-SAs. The disclosure also includes a NE comprising a processor configured to create an IPsec SA cluster comprising a first plurality of sub-SAs between the NE and a second NE using an internet key exchange (IKE) or an IKEv2, wherein the first sub-SAs are unidirectional, and wherein the first sub-SAs are configured to transport a first plurality of data packets in a common direction.

Patent
12 Jul 2013
TL;DR: In this paper, the authors present a method and method that enables control of data packet traffic belonging to different access technologies to be sent with the same Quality of Service class over an aggregated encrypted Internet Security tunnel, IPsec tunnel.
Abstract: The present invention relates to embodiments of nodes and methods in a node in a data telecommunication network. The method and embodiments thereof enables control of data packet traffic belonging to different access technologies to be sent with the same Quality of Service class over an aggregated encrypted Internet Security tunnel, IPsec tunnel. The received data packets are encrypting and encapsulating as payload in an IPdata packet to be sent over an aggregated encrypted IPsec tunnel, which header is marked with an access technology index comprising a code for the identified access technology of the one or more received data packets encrypted and encapsulated as payload in the IPsec tunnel and a hash identifier code enabling enhanced scheduling and routing.

Patent
16 Jan 2013
TL;DR: In this article, a data message processing method, system and equipment, and can improve the IPSEC (Internet Protocol Security) communication efficiency is described. But the authors do not reveal the details of the system and the equipment.
Abstract: The embodiment of the invention discloses a data message processing method, system and equipment, and can improve the IPSEC (Internet Protocol Security) communication efficiency. The data message processing method comprises the steps as follows: an encrypted steam table is looked up according to information of a data message, and the data message is encrypted according to the encrypted steam table so as to obtain an encrypted data message, wherein the encrypted steam table contains encrypted information; a forwarding steam table is looked up according to the information of the data message; the encrypted data message is forwarded through an output interface configured with IPSEC strategies for IP (Internet Protocol) security according to the forwarding steam table; and the forwarding steam table contains forwarding information. The encrypted data message is received through the interface configured with the IPSEC strategies for IP security; and in addition, a decryption steam table is looked up according to the information of the encrypted data message, and the encrypted data message is decrypted according to the decryption steam table, wherein the decryption steam table contains decryption information.

Proceedings ArticleDOI
03 Nov 2013
TL;DR: A compression format for IPsec, able to offer end-to-end security, that utilises AES-CCM* (CCM-Star), a variant of AES in Counter with CBC-MAC mode (AES- CCM), while considering the restrictions of the underlying IEEE 802.15.4 protocol.
Abstract: The wide deployment of low-power and lossy networks (LLNs) connected to the Internet has raised many security concerns regarding the protection of data they handle and communicate. Such networks now face all sorts of security threats identified in traditional networks. However, solutions found in traditional networks cannot directly be adopted by LLNs, due to the inherent limited capabilities of the embedded systems that comprise them. This paper focuses on the security provided to LLN nodes using 6LoWPAN adaptation format, one of the predominant solutions adopted for communicating data over IEEE 802.15.4 networks. It proposes a compression format for IPsec, able to offer end-to-end security, that utilises AES-CCM* (CCM-Star), a variant of AES in Counter with CBC-MAC mode (AES-CCM), while considering the restrictions of the underlying IEEE 802.15.4 protocol. Compared to similar approaches, the proposed scheme features low packet overhead for providing both message authentication, integrity and confidentiality, while adhering to the latest standards.

Proceedings ArticleDOI
24 Oct 2013
TL;DR: This paper presents a secure mutual authentication protocol for RFID systems that is based on symmetric key technique with an efficient key updating mechanism to improve the system security against replay, eavesdropping and man-in-the-middle attacks while maintaining lower computation, communication and storage.
Abstract: RFID systems are being used in various pervasive applications. Therefore, security and privacy protection is an important issue that needs to be addressed. In this paper, we present a secure mutual authentication protocol for RFID systems that is based on symmetric key technique with an efficient key updating mechanism. The objective is to improve the system security against replay, eavesdropping and man-in-the-middle attacks while maintaining lower computation, communication and storage. We also compare our authentication method with some recent protocols that deploy the same cipher (XTEA) by implementing the protocols on the same RF based system. Our proposed authentication protocol provides higher security level and lower computation and communication costs.