Showing papers on "IPsec published in 2016"

A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks

Abstract: Wireless sensor networks can be deployed in any attended or unattended environments like environmental monitoring, agriculture, military, health care etc., where the sensor nodes forward the sensing data to the gateway node. As the sensor node has very limited battery power and cannot be recharged after deployment, it is very important to design a secure, effective and light weight user authentication and key agreement protocol for accessing the sensed data through the gateway node over insecure networks. Most recently, Turkanovic et?al. proposed a light weight user authentication and key agreement protocol for accessing the services of the WSNs environment and claimed that the same protocol is efficient in terms of security and complexities than related existing protocols. In this paper, we have demonstrated several security weaknesses of the Turkanovic et?al. protocol. Additionally, we have also illustrated that the authentication phase of the Turkanovic et?al. is not efficient in terms of security parameters. In order to fix the above mentioned security pitfalls, we have primarily designed a novel architecture for the WSNs environment and basing upon which a proposed scheme has been presented for user authentication and key agreement scheme. The security validation of the proposed protocol has done by using BAN logic, which ensures that the protocol achieves mutual authentication and session key agreement property securely between the entities involved. Moreover, the proposed scheme has simulated using well popular AVISPA security tool, whose simulation results show that the protocol is SAFE under OFMC and CL-AtSe models. Besides, several security issues informally confirm that the proposed protocol is well protected in terms of relevant security attacks including the above mentioned security pitfalls. The proposed protocol not only resists the above mentioned security weaknesses, but also achieves complete security requirements including specially energy efficiency, user anonymity, mutual authentication and user-friendly password change phase. Performance comparison section ensures that the protocol is relatively efficient in terms of complexities. The security and performance analysis makes the system so efficient that the proposed protocol can be implemented in real-life application.

Identity-based authentication scheme for the Internet of Things

Abstract: Security and privacy are among the most pressing concerns that have evolved with the Internet. As networks expanded and became more open, security practices shifted to ensure protection of the ever growing Internet, its users, and data. Today, the Internet of Things (IoT) is emerging as a new type of network that connects everything to everyone, everywhere. Consequently, the margin of tolerance for security and privacy becomes narrower because a breach may lead to large-scale irreversible damage. One feature that helps alleviate the security concerns is authentication. While different authentication schemes are used in vertical network silos, a common identity and authentication scheme is needed to address the heterogeneity in IoT and to integrate the different protocols present in IoT. We propose in this paper an identity-based authentication scheme for heterogeneous IoT. The correctness of the proposed scheme is tested with the AVISPA tool and results showed that our scheme is immune to masquerade, man-in-the-middle, and replay attacks.

A Secure Anonymous Authentication Protocol for Mobile Services on Elliptic Curve Cryptography

Abstract: Mobile user authentication is an essential topic to consider in the current communications technology due to greater deployment of handheld devices and advanced technologies. Memon et al. recently proposed an efficient and secure two-factor authentication protocol for location-based services using asymmetric key cryptography. Unlike their claims, the vigilant analysis of this paper substantiates that Memon et al. ’s protocol has quite a few limitations such as vulnerability to key compromised impersonation attack, insecure password changing phase, imperfect mutual authentication, and vulnerability to insider attack. Furthermore, this paper proposes an enhanced secure authentication protocol for roaming services on elliptic curve cryptography. The proposed protocol is also a two-factor authentication protocol and is suitable for practical applications due to the composition of light-weight operations. The proposed protocol’s formal security is verified using Automated Validation of Internet Security Protocols and Applications tool to certify that the proposed protocol is free from security threats. The informal and formal security analyses along with the performance analysis sections determine that the proposed protocol performs better than Memon et al. ’s protocol and other related protocols in terms of security and efficiency.

A Mutual Authentication and Key Establishment Scheme for M2M Communication in 6LoWPAN Networks

Abstract: The machine-to-machine (M2M) communication, which plays a vital role in the Internet of Things (IoT), allows wireless and wired systems to monitor environments and exchange the information among various machines automatically without human interventions. In order to promote the development of the IoT and exploit the M2M applications, the Internet Engineering Task Force (IETF) has been developing a standard named Internet Protocol version 6 (IPv6) over low-power wireless personal area networks (6LoWPAN) to enable IP-based M2M devices to connect to the open Internet. Although the 6LoWPAN standard has specified the important issues in the M2M communications, various security issues have not been addressed. In this paper, an enhanced mutual authentication and key establishment scheme is designed for the M2M communications in 6LoWPAN networks. The proposed scheme enables a 6LoWPAN device to securely authenticate with the remote server with a session key established between them. The security proof by the protocol composition logic can prove the logic correctness of the proposed scheme. The formal verification and the simulation show that the proposed scheme in 6LoWPAN could not only enhance the security functionality with the ability to prevent various malicious attacks, but also incur less computational and transmission overhead.

Policy-based configuration of internet protocol security for a virtual private network

Abstract: A method for performing policy-based configuration of Internet Protocol Security (IPSec) for a Virtual Private Network (VPN) is provided. According to one embodiment, a network device displays a policy page via a user interface of the network device through which a policy, including multiple VPN settings for establishing the VPN connection, is viewed and configured, the VPN settings including a type of IPSec tunnel to be established between the network device and a peer network device. The network device receives via the user interface, a selection regarding the type of IPSec tunnel to be used for the VPN connection. The network device sends a notification request, including parameter values associated with the VPN settings, to the peer network device.

An Enhanced Biometric Based Authentication with Key-Agreement Protocol for Multi-Server Architecture Based on Elliptic Curve Cryptography.

Abstract: Biometric based authentication protocols for multi-server architectures have gained momentum in recent times due to advancements in wireless technologies and associated constraints. Lu et al. recently proposed a robust biometric based authentication with key agreement protocol for a multi-server environment using smart cards. They claimed that their protocol is efficient and resistant to prominent security attacks. The careful investigation of this paper proves that Lu et al.’s protocol does not provide user anonymity, perfect forward secrecy and is susceptible to server and user impersonation attacks, man-in-middle attacks and clock synchronization problems. In addition, this paper proposes an enhanced biometric based authentication with key-agreement protocol for multi-server architecture based on elliptic curve cryptography using smartcards. We proved that the proposed protocol achieves mutual authentication using Burrows-Abadi-Needham (BAN) logic. The formal security of the proposed protocol is verified using the AVISPA (Automated Validation of Internet Security Protocols and Applications) tool to show that our protocol can withstand active and passive attacks. The formal and informal security analyses and performance analysis demonstrates that the proposed protocol is robust and efficient compared to Lu et al.’s protocol and existing similar protocols.

Method and system of establishing a virtual private network in a cloud service for branch networking

Abstract: In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator. The orchestrator informs the edge device the list of subnets is accessible over the VPN causing the edge device to update the gateway device with a new list of subnets of the edge device that accessible over the VPN.

Downgrade Resilience in Key-Exchange Protocols

Abstract: Key-exchange protocols such as TLS, SSH, IPsec, and ZRTP are highly configurable, with typical deployments supporting multiple protocol versions, cryptographic algorithms and parameters. In the first messages of the protocol, the peers negotiate one specific combination: the protocol mode, based on their local configurations. With few notable exceptions, most cryptographic analyses of configurable protocols consider a single mode at a time. In contrast, downgrade attacks, where a network adversary forces peers to use a mode weaker than the one they would normally negotiate, are a recurrent problem in practice. How to support configurability while at the same time guaranteeing the preferred mode is negotiated? We set to answer this question by designing a formal framework to study downgrade resilience and its relation to other security properties of key-exchange protocols. First, we study the causes of downgrade attacks by dissecting and classifying known and novel attacks against widely used protocols. Second, we survey what is known about the downgrade resilience of existing standards. Third, we combine these findings to define downgrade security, and analyze the conditions under which several protocols achieve it. Finally, we discuss patterns that guarantee downgrade security by design, and explain how to use them to strengthen the security of existing protocols, including a newly proposed draft of TLS 1.3.

Securing Vehicular IPv6 Communications

Abstract: A common practice is applying security after a network has been designed or developed. We have the opportunity of not committing this error in vehicular networks. Apart from particular works in the literature, ETSI TC ITS has defined general security services for (vehicular) cooperative systems. However, existent efforts do not pay the needed attention to the integration of IPv6 yet. The potential of IPv6 in the field is being described within ISO TC 204, above all, but further work is needed for a proper integration of security. This work follows this direction, and a reference vehicular communication architecture considering ETSI/ISO regulations, uses Internet Protocol security (IPsec) and Internet Key Exchange version 2 (IKEv2) to secure IPv6 Network Mobility (NEMO). A key advance is also the implementation and experimental evaluation of the proposal in a challenging vertical handover scenario between 3G and 802.11p. The performance of the secured NEMO channel is widely analyzed in terms of the movement speed, bandwidth, traffic type or signal quality, and it is concluded that the addition of IPv6 security only implies a slight reduction in the overall performance, with the great advantage of providing confidentiality, integrity and authenticity to the communication path.

User location tracking attacks for LTE networks using the interworking functionality

Abstract: User location tracking attacks using cellular networks have been known since 2008. In 2014, several Signalling System No 7 (SS7) protocol based location tracking attacks were demonstrated, which particularly targeted the cellular roaming in GSM networks. Currently, the mobile network operators are in a gradual process of upgrading to Long Term Evolution (LTE) networks, in addition to replacing SS7 by its successor — Diameter protocol. Though Diameter seems to be an improvement over SS7 in terms of security with the use of IPsec/TLS and certificate based authentication, they still need to communicate with their roaming partners who use less secure SS7. In this paper, we will briefly present the translation of existing SS7 attacks into Diameter-based attacks in LTE networks (under certain assumptions) using Interworking Functions(IWF) — which allows communication between networks that use different protocols. The key contribution of this paper is the the detailed explanation of novel attack vectors to obtain the user location information using IWF and hence, the proof that even new LTE network can be vulnerable to legacy attacks. Furthermore, we will outline some of the potential protection approaches for the attacks that we discuss.

Bilateral Teleoperation System Using QoS and Secure Communication Networks for Telemedicine Applications

Abstract: The next generation of telesurgical robotics systems presents significant challenges related to network performance and data security. It is known that packet transmission in wide area networks is a complex stochastic process; thus, low bandwidth as well as high delay, jitter, and packet loss will greatly affect the quality of service (QoS) of teleoperation control, which is unacceptable in this kind of sensitive application. Furthermore, a relevant but more serious issue is the network attacks, particularly denial of service as well as data alteration or disclosure. The main motivation of this study is to deploy suitable security mechanisms while preserving the QoS of network-based bilateral teleoperation. We propose and apply a protocol that secures our teleoperation system while preserving its real-time constraints. More precisely, we present in this paper a bilateral generalized predictive controller coupled to a QoS-friendly IP security protocol. The experimental results demonstrate that the telerobotic system is able to satisfy both QoS and security requirements of real-time and sensitive teleoperation tasks. In fact, our teleoperation security protocol provides priority treatment while preventing attacks and avoiding potential deadline misses due to increased security cost.

Proposing and verifying a security-enhanced protocol for IoT-based communication for medical devices

Abstract: Internet of things technology has recently drawn much attention across industries. IoT technology has gradually been applied to industries and everyday life in general including healthcare, where people can access hospital information systems to view personal health and medical information. Still, due to security vulnerabilities, personal health and medical information is prone to hacking attacks. Thus, concerns over privacy invasion have come to the fore, and at the same time security issues are considered to override information services. This paper proposes a communication protocol based on hash lock, session keys, random numbers and security keys designed to be safe against intruders' hacking attempts in information communication between medical devices. Instead of arguing for the safety of the proposed protocol with mathematical theorem proving as in prior research on protocol proving, this paper verifies the safety of the proposed authentication protocol against a range of attacks using a model checking program, Casper/FDR program. In brief, the proposed communication protocol for medical devices is safe and secure against diverse attacks.

Secure End-to-End key establishment protocol for resource-constrained healthcare sensors in the context of IoT

Abstract: Internet of Things (IoT) is an ubiquitous concept where physical objects are connected over the internet and are provided with unique identifiers to enable their self-identification to other devices and the ability to transmit data over the network. Sensor nodes along with their heterogeneous nature are the main part of the IoT and may act as internet hosts or clients. Communication security and end-users privacy protection is a major concern in the development of IoT especially if these IP-enabled sensor nodes have limited resources. Secret key distribution for heterogeneous sensors becomes challenging due to the inconsistencies in their cryptographic primitives and computational resources as in Healthcare applications. This paper introduces a new End-to-End key establishment protocol that is lightweight for resource-constrained sensors and secure through strong encryption and authentication. By using this protocol, resource-constrained nodes can also benefit from the same security functionalities that are typical of unconstrained domains, without however having to execute computationally intensive operations. The protocol is based on cooperation by offloading the heavy cryptographic operations of constrained nodes to the neighboring trusted nodes or devices. Security analysis and performance evaluation results show that the proposed protocol is secure and is sufficiently energy efficient.

Improving the tunnel management performance of secure VPLS architectures with SDN

Abstract: Secure VPLS (Virtual Private LAN Services) networks are becoming attractive in many Enterprise applications. However, the tunnel establishment mechanisms of legacy VPLS architectures are static, complex and inflexible in nature. As a result, secure VPLS architectures are suffering from limitations such as the limited scalability, over utilization of network resources, high tunnel establishment delay and high operational cost. In this article, we propose a novel SDN (Software Defined Networking) based VPLS (Virtual Private LAN Services) architecture to overcome tunnel management limitations in existing secure VPLS architectures. The proposed architecture utilizes IPsec enabled OpenFlow switches as PEs (Provider Edge Equipments) and OpenFlow protocol to install flow rules in PEs. A centralized controller is used to manage the tunnel establishment functions. We also propose a novel tunnel management mechanism which can estimate the tunnel duration based on real time session characteristics. Moreover, a novel tunnel resumption mechanism is proposed to reduce the tunnel establishment delay of subsequent tunnel establishments. Finally, the performance of proposed architecture is analyzed by using a simulation model and a testbed implementation.

QR code based mutual authentication protocol for Internet of Things

Abstract: In the Internet of Things (IoT), security is important and challenging; however, it is often neglected. This paper presents a smart home scenario, together with its requirements for a secure and user friendly mutual authentication protocol. Protocols developed for the internet are often not applicable to the Internet of Things due to hardware limitations and physical inaccessibility of devices. To tackle the challenge of a usable and secure device authentication in the area of the IoT, a QR code based mutual authentication protocol is proposed. The protocol supports two operation modes to handle different hardware configurations with respect to cameras and displays. Both operation modes are secure against attacks within the proposed attacker model. The protocol can also be used to exchange the public keys between two parties, in order to establish a secure channel without a trusted third party.

An Efficient Device Authentication Protocol Without Certification Authority for Internet of Things

Abstract: Wireless network devices are used for the Internet of Things in a variety of applications, and although the IoT has many benefits, there are some security issues in this area. Hacking tools that are widely used in wireless communication enable the attacker to export the information stored in the device memory. Devices within the IoT should not allow this information to be accessed without an authentication. In this paper, we propose an efficient device authentication protocol without certification authority for the Internet of Things. Compared to the existing Constrained Application Protocol, the proposed protocol increases efficiency by minimizing the number of message exchanges. Since our protocol is based on a keyed hash algorithm, the Certificate of Authority is not required. Experimental results show that the proposed authentication protocol improves the security level and reduces the resource consumption of devices.

Fusion: coalesced confidential storage and communication framework for the IoT

Abstract: Comprehensive security mechanisms are required for a successful implementation of the Internet of Things IoT. Existing solutions focus mainly on securing the communication links between Internet hosts and IoT devices. However, as most IoT devices nowadays provide vast amounts of flash storage space, it is as well required to consider storage security within a comprehensive security framework. Instead of developing independent security solutions for storage and communication, we propose Fusion, a framework that provides coalesced confidential storage and communication. Fusion uses existing secure communication protocols for the IoT such as Internet protocol security IPsec and datagram transport layer security DTLS and re-uses the defined communication security mechanisms within the storage component. Thus, trusted mechanisms developed for communication security are extended into the storage space. Notably, this mechanism allows us to transmit requested data directly from the file system without decrypting read data blocks and then re-encrypting these for transmission. Thus, Fusion provides benefits in terms of processing speed and energy efficiency, which are important aspects for resource-constrained IoT devices. This paper describes the Fusion architecture and its instantiation for IPsec-based and DTLS-based systems. We describe Fusion's implementation and evaluate its storage overheads, communication performance, and energy consumption. Copyright © 2015John Wiley & Sons, Ltd.

Provably secure three-factor authentication and key agreement scheme for session initiation protocol

Abstract: Session initiation protocol (SIP) is a widely used authentication protocol for the Voice over IP communications. Over the years, several protocols have been proposed in the literature to strengthen the security of SIP. In this paper, we present an efficient elliptic curve cryptography (ECC)-based provably secure three-factor authentication and session key agreement scheme for SIP, which uses the identity, password, and personal biometrics of a user as three factors. Our scheme aims to resolve the security weaknesses and drawbacks in existing SIP authentication protocols. In addition, our scheme supports password and biometric update phase without involving the server and the user mobile device revocation phase in case the mobile device is lost/stolen. Formal security analysis under the standard model and the broadly accepted Burrows–Abadi–Needham logic ensures that the proposed scheme can withstand several known security attacks. The proposed scheme has also been analyzed informally. Simulation for formal security verification using the widely known automated validation of internet security protocols and applications tool shows the replay, and the man-in-the-middle attacks are protected by the scheme. High security and low communication and computation costs make the proposed scheme more suitable for practical application as compared with other existing related ECC-based schemes. Copyright © 2016 John Wiley & Sons, Ltd.

TinyTO: two-way authentication for constrained devices in the Internet of Things

Abstract: Wireless sensor networks (WSN) will play a fundamental role in the future Internet of Things (IoT), with millions of devices actively exchanging confidential information with one another in a multi-hop manner. Ensuring secure end-to-end communication channels is crucial to the success of innovative IoT applications, as they are essential to limit attacks’ impacts and avoid exposure of information. End-to-end security solutions, such as IPsec or DTLS, do not scale well on WSN devices due to limited resources. In this chapter, the optimized two-way authentication solution for tiny devices (TinyTO) combines end-to-end secured communication with WSN design. TinyTO provides confidentiality and integrity within a fast and secure handshake, works with public-key cryptography, and uses elliptic curve cryptography (ECC) for message encryption and authentication. ECC lowers the resource consumption, and suits devices with 10 kByte RAM and 100 kByte ROM. TinyTO does not need a network-wide shared secret, is application-independent, and supports in-network aggregation.

IPSecOPEP: IPSec over PEPs architecture, for secure and optimized communications over satellite links

Abstract: This paper presents a TCP/IP-based architecture (IPSecOPEP) to resolve the interoperability issue between PEPs (Performance Enhancing Proxies) and IPSec (Internet Protocol Security). Where this problem is due to the cryptographic protection of TCP header by IPSec ESP protocol, which prohibits TCP enhancing mechanisms to be performed by PEPs. The key idea of this solution is that IPSec devices can perform well as a bridge between end users and PEPs in such situations, because they can access to both TCP headers of original packets and IPSec headers of encrypted packets. By this way, IPSec devices can perform a simple mapping between original TCP headers and their corresponding IPSec headers to resolve the interoperability issue. In our proposed IPSecOPEP architecture, we add a new components to the standard TCP/IP stack for IPSec devices and PEPs proxies, to ensure cooperatively and transparently the interoperability between them, without affecting the security privacy and performance level in such situations. In fact, this solution doesn't need to exchange any secret information about IPSec-related security associations. Furthermore it doesn't imply the use of any additional headers to IPSec packets by the PEPs. However, IPSec devices should coordinate between end users and PEPs to ensure spoofing mechanism, to avoid slow start problem of a standard TCP. After that, PEPs can continue to apply other enhancing mechanisms over the satellite link. Hence, this solution presents a double advantages concerning both the security and the performance at once. Moreover, the components of this solution can be easily standardized, implemented, integrated and enabled, in IPSec and PEPs devices.

Optimizable full-path encryption in a virtualization environment

Abstract: An approach for full-path data encryption, where user virtualized computers (e.g., user VMs) are configured to communicate with other virtualized computers or VMs using IPsec protocol encryption standards. The user VMs may send a first encryption or authorization key to the other VMs, which the other VMs may use to authenticate the user VMs and encrypt and decrypt data stored to storage devices using a second encryption key. In some approaches, the other VMs may interpret or decrypt the data sent via IPsec and then perform data optimizations (e.g., compression, deduplication) on the data before decrypting/encrypting with the second key.

EAM: Architecting Efficient Authentication Model for Internet Security using Image-Based One Time Password Technique

Abstract: In the era of Internet world, passwords are essential to protect our data and the application. Relying on a simple plaintext password would lead to vulnerability. Apart from choosing strong passwords, the authentication model plays a crucial role in Internet Security by protecting the web applications efficiently from various security attacks. Objectives: The aim of the paper is to provide an Efficient Authentication Model and adopt a new technique in generating a dynamic salt from the client. Hence it protects Internet applications from five types of security attacks, namely password-guessing attack, keylogger attack, replay attack, streaming bots, and screen-capture attacks. Methods: The One Time Password (OTP) based image-selection enables the user to protect the Internet application from streaming bots, keyloggers and screen-capture attacks. Findings: The architecture has been designed efficiently to minimize the number of transactions between the client and the server. The dependency on hardware devices for authentication can be completely eradicated by using Efficient Authentication Model (EAM). Hence, the authentication is well-suited for Internet applications requiring higher levels of security. Application: It is a single solution for multiple security problems with minimal cost and highly secured with improved performance. Hence, it can be implemented by banks, financial organization, etc. where security is very significant.

Lightweight, anonymous and mutual authentication in IoT infrastructure

Abstract: Recent development in information technology and internet makes the internet of things (IoT) more popular than before. Since all of entities can be interact with each other, so some security elements such as authentication should be considered. Sensor-to-Sensor connection is one of the important communications in IoT environment. Therefore in this paper, lightweight authentication protocol between sensors in stationary and mobile mode is proposed to be suitable for constraint entities. This protocol can ensure some security and privacy features such as anonymity, untraceability and so on. At the end, security requirements and computational costs between different schemes are compared.

From protecting protocols to layers: Designing, implementing and experimenting with security policies in RINA

Abstract: Current Internet security is complex, expensive and ineffective. The usual argument is that the TCP/IP protocol suite was not designed having security in mind and security mechanisms have been added as add-ons or separate protocols. We argue that fundamental limitations in the Internet architecture are a major factor contributing to the insecurity of the Net. In this paper we explore the security properties of the Recursive InterNetwork Architecture, analyzing the principles that make RINA networks inherently more secure than TCP/IP-based ones. We perform the specification, implementation and experimental evaluation of the first authentication and SDU protection policies for RINA networks. RINA's approach to securing layers instead of protocols increases the security of networks, while reducing the complexity and cost of providing security.

Minimal Internet Key Exchange Version 2 (IKEv2) Initiator Implementation

Abstract: This document describes a minimal initiator version of the Internet Key Exchange version 2 (IKEv2) protocol for constrained nodes. IKEv2 is a component of IPsec used for performing mutual authentication and establishing and maintaining Security Associations (SAs). IKEv2 includes several optional features, which are not needed in minimal implementations. This document describes what is required from the minimal implementation and also describes various optimizations that can be done. The protocol described here is interoperable with a full IKEv2 implementation using shared secret authentication (IKEv2 does not require the use of certificate authentication). This minimal initiator implementation can only talk to a full IKEv2 implementation acting as the responder; thus, two minimal initiator implementations cannot talk to each other. This document does not update or modify RFC 7296 but provides a more compact description of the minimal version of the protocol. If this document and RFC 7296 conflict, then RFC 7296 is the authoritative description.

An FPGA based reconfigurable IPSec ESP core suitable for IoT applications

Abstract: This work implements an FPGA (Field Programmable Gate Array) based reconfigurable IPSec ESP core. The IPSec protocol, developed by the IETF (Internet Engineering Task Force) in 1998, is a popular solution to facilitate protection of the data being transferred at the IP layer. IPSec ESP is one of the two main IPSec protocols (AH: Authentication Header and ESP: Encapsulation Security Payload). IPSec ESP is used to provide data confidentiality security services with Authenticity (optional). Implementation of the IPSec is a computing intensive work, that's why hardware implementation of IPSec is a best solution. Here, to design IPSec ESP core an encryption algorithm AES is used. Proposed design also supports ESP-tunnel and ESP-transport mode of operation. This core is tested by applying default length of 576 bytes for an IPv4 datagram and results are reported on Virtex-5 and Virtex-6 FPGAs. The proposed IPSec ESP core can be used to provide data confidentiality security to IoT applications.

Novel secure VPN architectures for LTE backhaul networks

Abstract: In this paper, we propose two secure virtual private network architectures for the long-term evolution backhaul network. They are layer 3 Internet protocol (IP) security virtual private network architectures based on Internet key exchange version 2 mobility and multihoming protocol and host identity protocol. Both architectures satisfy a complete set of 3GPP backhaul security requirements such as authentication, authorization, payload encryption, privacy protection, and IP-based attack prevention. The security analysis and simulation results verify that the proposed architectures are capable enough to protect long-term evolution backhaul traffic against various IP-based attacks. Copyright © 2016 John Wiley & Sons, Ltd.