Showing papers on "IPsec published in 2017"

Lightweight Three-Factor Authentication and Key Agreement Protocol for Internet-Integrated Wireless Sensor Networks

Abstract: Wireless sensor networks (WSNs) will be integrated into the future Internet as one of the components of the Internet of Things, and will become globally addressable by any entity connected to the Internet. Despite the great potential of this integration, it also brings new threats, such as the exposure of sensor nodes to attacks originating from the Internet. In this context, lightweight authentication and key agreement protocols must be in place to enable end-to-end secure communication. Recently, Amin et al. proposed a three-factor mutual authentication protocol for WSNs. However, we identified several flaws in their protocol. We found that their protocol suffers from smart card loss attack where the user identity and password can be guessed using offline brute force techniques. Moreover, the protocol suffers from known session-specific temporary information attack, which leads to the disclosure of session keys in other sessions. Furthermore, the protocol is vulnerable to tracking attack and fails to fulfill user untraceability. To address these deficiencies, we present a lightweight and secure user authentication protocol based on the Rabin cryptosystem, which has the characteristic of computational asymmetry. We conduct a formal verification of our proposed protocol using ProVerif in order to demonstrate that our scheme fulfills the required security properties. We also present a comprehensive heuristic security analysis to show that our protocol is secure against all the possible attacks and provides the desired security features. The results we obtained show that our new protocol is a secure and lightweight solution for authentication and key agreement for Internet-integrated WSNs.

Hardware IP Security and Trust

Abstract: This book provides an overview of current Intellectual Property (IP) based System-on-Chip (SoC) design methodology and highlights how security of IP can be compromised at various stages in the overall SoC design-fabrication-deployment cycle. Readers will gain a comprehensive understanding of the security vulnerabilities of different types of IPs. This book would enable readers to overcome these vulnerabilities through an efficient combination of proactive countermeasures and design-for-security solutions, as well as a wide variety of IP security and trust assessment and validation techniques. This book serves as a single-source of reference for system designers and practitioners for designing secure, reliable and trustworthy SoCs.

UAKA-D2D: Universal Authentication and Key Agreement Protocol in D2D Communications

Abstract: Device-to-Device (D2D) communications have emerged as a promising technology for the next generation mobile communication networks and wireless systems (5G) As an underlay network of conventional cellular networks (LTE or LTE-Advanced), D2D communications have shown great potential in improving communication capability and fostering multifarious new applications and services However, new application scenarios and system architecture expose establishment of D2D communications into unique security threats Therefore, it is necessary to take security requirements into the design of D2D communications in order to ensure security and correct operations of the network In this paper, we proposed a Universal Authentication and Key Agreement protocol for D2D communications (UAKA-D2D) to achieve secure communication session establishment, where user roaming and inter-operator operation are considered Our protocol adopts Diffie-Hellman Key Exchange algorithm (DHKE) to achieve privacy preserving session key generation and employs message authentication code to achieve mutual authentication between D2D users The security of the proposed protocol is analyzed theoretically and verified by a formal security verification tool Finally, we evaluated the performance of the protocol in terms of computation and communication costs based on extensive analysis and simulations The results show the efficiency and practicality of the proposed protocol

ICMPv6-Based DoS and DDoS Attacks and Defense Mechanisms: Review

Abstract: The number of internet users and devices that are in need for more IP addresses to be assigned to them is rapidly increasing. A new protocol named IPv6 was developed in 1998 to overcome the addressing issue and to improve network communications in general. IPv6 is an improved protocol compared to IPv4 in terms of security since it provides built-in security mechanisms, such as IPSec. In addition, it brought new functionalities, such as Neighbour Discovery Protocol (NDP) procedure, which depends on Internet Control Message Protocol version 6 (ICMPv6) protocol messages. However, IPv6 inherited a number of attacks from IPv4 in addition to new attacks it brought within its new features. One of the most common attacks is the Denial of Service (DoS) attack due to its ease of being launched in different ways. A more serious DoS attack can be launched from many hosts called Distributed Denial of Service (DDoS). DoS and DDoS attacks are thorny and a grave problem of today's internet, resulting in economic damages for organizations and individuals. Therefore, this paper is created to study the properties of DoS and DDoS attacks against IPv6 networks using ICMPv6 messages. Additionally, it analyzes the various existing detection and prevention approaches that are proposed to tackle ICMPv6-based DoS and DDoS attacks. Moreover, it explains the existing tools that might be used for performing these attacks.

SUPERMAN: Security Using Pre-Existing Routing for Mobile Ad hoc Networks

Abstract: The flexibility and mobility of Mobile Ad hoc Networks (MANETs) have made them increasingly popular in a wide range of use cases. To protect these networks, security protocols have been developed to protect routing and application data. However, these protocols only protect routes or communication, not both. Both secure routing and communication security protocols must be implemented to provide full protection. The use of communication security protocols originally developed for wireline and WiFi networks can also place a heavy burden on the limited network resources of a MANET. To address these issues, a novel secure framework (SUPERMAN) is proposed. The framework is designed to allow existing network and routing protocols to perform their functions, whilst providing node authentication, access control, and communication security mechanisms. This paper presents a novel security framework for MANETs, SUPERMAN. Simulation results comparing SUPERMAN with IPsec, SAODV, and SOLSR are provided to demonstrate the proposed frameworks suitability for wireless communication security.

An Authentication Protocol for Future Sensor Networks.

Abstract: Authentication is one of the essential security services in Wireless Sensor Networks (WSNs) for ensuring secure data sessions. Sensor node authentication ensures the confidentiality and validity of data collected by the sensor node, whereas user authentication guarantees that only legitimate users can access the sensor data. In a mobile WSN, sensor and user nodes move across the network and exchange data with multiple nodes, thus experiencing the authentication process multiple times. The integration of WSNs with Internet of Things (IoT) brings forth a new kind of WSN architecture along with stricter security requirements; for instance, a sensor node or a user node may need to establish multiple concurrent secure data sessions. With concurrent data sessions, the frequency of the re-authentication process increases in proportion to the number of concurrent connections. Moreover, to establish multiple data sessions, it is essential that a protocol participant have the capability of running multiple instances of the protocol run, which makes the security issue even more challenging. The currently available authentication protocols were designed for the autonomous WSN and do not account for the above requirements. Hence, ensuring a lightweight and efficient authentication protocol has become more crucial. In this paper, we present a novel, lightweight and efficient key exchange and authentication protocol suite called the Secure Mobile Sensor Network (SMSN) Authentication Protocol. In the SMSN a mobile node goes through an initial authentication procedure and receives a re-authentication ticket from the base station. Later a mobile node can use this re-authentication ticket when establishing multiple data exchange sessions and/or when moving across the network. This scheme reduces the communication and computational complexity of the authentication process. We proved the strength of our protocol with rigorous security analysis (including formal analysis using the BAN-logic) and simulated the SMSN and previously proposed schemes in an automated protocol verifier tool. Finally, we compared the computational complexity and communication cost against well-known authentication protocols.

Fuzzy Extractor and Elliptic Curve Based Efficient User Authentication Protocol for Wireless Sensor Networks and Internet of Things

Abstract: To improve the quality of service and reduce the possibility of security attacks, a secure and efficient user authentication mechanism is required for Wireless Sensor Networks (WSNs) and the Internet of Things (IoT). Session key establishment between the sensor node and the user is also required for secure communication. In this paper, we perform the security analysis of A.K.Das’s user authentication scheme (given in 2015), Choi et al.’s scheme (given in 2016), and Park et al.’s scheme (given in 2016). The security analysis shows that their schemes are vulnerable to various attacks like user impersonation attack, sensor node impersonation attack and attacks based on legitimate users. Based on the cryptanalysis of these existing protocols, we propose a secure and efficient authenticated session key establishment protocol which ensures various security features and overcomes the drawbacks of existing protocols. The formal and informal security analysis indicates that the proposed protocol withstands the various security vulnerabilities involved in WSNs. The automated validation using AVISPA and Scyther tool ensures the absence of security attacks in our scheme. The logical verification using the Burrows-Abadi-Needham (BAN) logic confirms the correctness of the proposed protocol. Finally, the comparative analysis based on computational overhead and security features of other existing protocol indicate that the proposed user authentication system is secure and efficient. In future, we intend to implement the proposed protocol in real-world applications of WSNs and IoT.

Application specific tunneling protocol selection for Virtual Private Networks

Abstract: The application scope of VPN is increasing day by day as the organizations are creating private networks through public Internet using VPN tunneling instead of leased line. VPN protocols are classified into site-to-site and remote access VPN which exhibits different set of characteristics in terms of security mechanism. But there is no VPN preferences based on the organizational application requirements. In this paper, different VPN tunneling protocols like GRE, IPSec, PPTP and L2TP with IPSec are analyzed to measure the performance in terms of throughput, RTT, Jitter and security parameters. The results exhibits that, GRE is preferable for delay and bandwidth sensitive application in context of site to site VPN and L2TP is more effective than PPTP for remote access VPN.

Lightweight security protocols for the Internet of Things

Abstract: In this paper, a suite of lightweight security protocols for the Internet of Things (IoT) is presented It comprises protocols for lightweight encryption, authentication as well as key management The key management protocol is the application of our early work on information theoretically secure key management to IoT; it is computationally efficient and information-theoretically secure, and enables that every data item (file) is encrypted with its own random key The security and computational efficiency of the proposed protocols are compared with those of IPsec, which is the most commonly used suite of network-layer security protocols in Internet based applications but not desirable, due to its computationally-intensive procedures, to IoT applications and cyber-physical systems (CPS) with resource and computation-capability constraints The proposed security protocols can be employed in IoT and CPS applications, replacing the IPsec core algorithms or the whole IPsec suite, to achieve a higher level of security with a very low resource consumption that helps to maintain the system sustainability

MUTARCH: Architectural diversity for FPGA device and IP security

Abstract: Field Programmable Gate Arrays (FPGAs) are being increasingly deployed in diverse applications including the emerging Internet of Things (IoT), biomedical, and automotive systems. However, security of the FPGA configuration file (i.e. bitstream), especially during in-field reconfiguration, as well as effective safeguards against unauthorized tampering and piracy during operation, are notably lacking. The current practice of bitstreram encryption is only available in high-end FPGAs, incurs unacceptably high overhead for area/energy-constrained devices, and is susceptible to side channel attacks. In this paper, we present a fundamentally different and novel approach to FPGA security that can protect against all major attacks on FPGA, namely, unauthorized in-field reprogramming, piracy of FPGA intellectual property (IP) blocks, and targeted malicious modification of the bitstream. Our approach employs the security through diversity principle to FPGA, which is often used in the software domain. We make each device architecturally different from the others using both physical (static) and logical (time-varying) configuration keys, ensuring that attackers cannot use a priori knowledge about one device to mount an attack on another. It therefore mitigates the economic motivation for attackers to reverse engineering the bitstream and IP. The approach is compatible with modern remote upgrade techniques, and requires only small modifications to existing FPGA tool flows, making it an attractive addition to the FPGA security suite. Our experimental results show that the proposed approach achieves provably high security against tampering and piracy with worst-case 14% latency overhead and 13% area overhead.

Augmented windows fuzzy firewall for preventing denial of service attack

Abstract: The majority of computer systems use security software/hardware to protect against cyber attacks. A firewall is one the most popular security systems to protect against unauthorized access to or from its hosted network/system. The Microsoft Windows Operating System (OS) is equipped with an intrinsic firewall utility, which has been enhanced over the years to offer advanced security features including IPSec-based virtual private network functionality. This intrinsic Windows Firewall is still not capable of detecting and preventing Denial of Service (DoS) attacks. Nevertheless as an established end user security tool which is supplied with Windows OS, Windows Firewall with some additional intelligence may be an extremely valuable security utility for millions of Windows users. An intelligent Windows fuzzy firewall named FR-WinFirewall has been developed to improve its functionalities and aid prevention of DoS attacks. This paper presents the further extended and generalised version of the FR-WinFirewall to cover IPv6 traffic and for the inclusion of some extra DoS attack types related to ICMPv4, ICMPv6 and TCP. This augmented FR-WinFirewall can monitor, alert and prevent the three types of DoS attacks, ICMP (ICMPv4 and ICMPv6) DoS, UDP DoS and TCP DoS, as these protocols cover the majority of the TCP/IP traffic within any network. In this firewall, three separate fuzzy reasoning components related to three DoS attack types are designed, implemented and tested successfully. The addition of fuzzy intelligence to an intrinsic Windows Firewall makes it comparatively better than many well known firewalls, which are not yet capable of controlling DoS attacks.

High throughput layer 2 extension leveraging cpu flow affinity

Abstract: Techniques leveraging CPU flow affinity to increase throughput of a layer 2 (L2) extension network are disclosed. In one embodiment, an L2 concentrator appliance, which bridges a local area network (LAN) and a wide area network (WAN) in a stretched network, is configured such that multiple Internet Protocol Security (IPsec) tunnels are pinned to respective CPUs or cores, which each process traffic flows for one of the IPsec tunnels. Such parallelism can increase the throughput of the stretched network. Further, an L2 concentrator appliance that receives FOU packets is configured to distribute the received FOU packets across receive queues based a deeper inspection of inner headers of such packets.

When encryption is not enough: privacy attacks in content-centric networking

Abstract: Content-Centric Networking (CCN) is a network architecture for transferring named content from producers to consumers upon request. The name-to-content binding is cryptographically enforced with a digital signature generated by the producer. Thus, content integrity and origin authenticity are core features of CCN. In contrast, content confidentiality and privacy are left to the applications. The typically advocated approach for protecting sensitive content is to use encryption, i.e., restrict access to those who have appropriate decryption key(s). Moreover, content is typically encrypted once for identical requests, meaning that many consumers obtain the same encrypted content. From a privacy perspective, this is a step backwards from the "secure channel" approach in today's IP-based Internet, e.g., TLS or IPSec. In this paper, we assess the privacy pitfalls of this approach, particularly, when the adversary learns some auxiliary information about popularity of certain plaintext content. Merely by observing (or learning) the frequency of requested content, the adversary can learn which encrypted corresponds to which plaintext data. We evaluate this attack using a custom CCN simulator and show that even moderately accurate popularity information suffices for accurate mapping. We also show how the adversary can exploit caches to learn content popularity information. The adversary needs to know the content namespace in order to succeed. Our results show that encryption-based access control is insufficient for privacy in CCN. More extensive counter-measures (such as namespace restrictions and content replication) are needed to mitigate the attack.

An Attack-Resilient Source Authentication Protocol in Controller Area Network

Abstract: While vehicle to everything (V2X) communication enables safety-critical automotive control systems to better support various connected services to improve safety and convenience of drivers, they also allow automotive attack surfaces to increase dynamically in modern vehicles. Many researchers as well as hackers have already demonstrated that they can take remote control of the targeted car by exploiting the vulnerabilities of in-vehicle networks such as Controller Area Networks (CANs). For assuring CAN security, we focus on how to authenticate electronic control units (ECUs) in real-time by addressing the security challenges of in-vehicle networks. In this paper, we propose a novel and lightweight authentication protocol with an attack-resilient tree algorithm, which is based on one-way hash chain. The protocol can be easily deployed in CAN by performing a firmware update of ECU. We have shown analytically that the protocol achieves a high level of security. In addition, the performance of the proposed protocol is validated on CANoe simulator for virtual ECUs and Freescale S12XF used in real vehicles. The results show that our protocol is more efficient than other authentication protocol in terms of authentication time, response time, and service delay.

Mutual Authentication Protocol for RFID Based on ECC

Abstract: In this paper, a mutual authentication protocol based on ECC is designed for RFID systems. This protocol is described in detail and the performance of this protocol is analyzed. The results show that the protocol has many advantages, such as mutual authentication, confidentiality, anonymity, availability, forward security, scalability and so on, which can resist camouflage attacks, tracking attacks, denial of service attacks, system internal attack.

On security of wireless sensor networks: a data authentication protocol using digital signature

Abstract: Guaranteeing end-to-end data security in wireless sensor networks (WSNs) is important and has drawn much attention of researchers over past years. Because an attacker may take control of compromised sensor nodes to inject bogus reports into WSNs, enhancing data authenticity becomes a necessary issue in WSNs. Unlike PCREF (Yang et al. in IEEE Trans Comput 64(1):4---18, 2015) (LEDS, Ren et al. in IEEE Trans Mobile Comput 7(5):585---598, 2008), digital signature rather than message authentication polynomials (message authentication codes) is adopted by our protocol in en-route filtering. Keeping the advantages of clusters in PCREF and overcoming the drawbacks in LEDS, an enhanced and efficient cluster-based security protocol is proposed in this paper. The proposed protocol can guarantee end-to-end data authentication with the aid of digital signature and exhibits its effectiveness and efficiency through security analysis and performance analysis. Our analytical results show that the proposed protocol significantly outperforms the closely related protocols in the literature in term of security strength and protocol overhead.

An anonymization protocol for the Internet of Things

Abstract: The Internet of Things (IoT) is expected to pervasively interconnect billions of devices, denoted as “smart objects”, in an Internet-like structure, which will extend the current Internet, enabling new forms of interactions between objects based on social relationships. In such a scenario, security is a difficult and challenging task, and proper mechanisms should be defined without introducing too much protocol overhead and processing load. In particular, in this paper we focus on the anonymity of the communications and we propose a solution particularly suitable for such a constrained scenario. In the proposed solution IoT nodes form an Onion Routing anonymity network completely based on a datagram transport (e.g., over UDP). Confidentiality is completely enforced by the anonymity network and no other security protocols, such as IPSec or DTLS, are required. The proposed solution has been also implemented and tested.

Performance analysis of virtualized VPN endpoints

Abstract: Virtual Private Networks (VPN) are an established technology that provides users a way to achieve secure communication over an insecure communication channel, such as the public Internet. It has been widely accepted due to its flexibility and availability on many platforms. It is often used as an alternative to expensive leased lines. In traditional setups, VPN endpoints are set up in hardware appliances, such as firewalls or routers. In modern networks, which utilize Network Functions Virtualization (NFV), VPN endpoints can be virtualized on common servers. Because data encryption and decryption are CPU intensive operations, it is important to investigate limits of such setups so that feasibility of endpoint virtualization can be evaluated. In this paper, we analyze performance of two industry standard VPN implementations - IPSec and OpenVPN. We examine TCP throughput in relation to encryption algorithm used and packet size. Our experiments suggest that moving VPN endpoints from a specialized hardware appliance to a virtualized environment can be a viable and simple solution if traffic throughput requirements are not too demanding. However, it is still difficult to replace high-end appliances with large throughput capabilities.

FPGA implementation of IPsec protocol suite for multigigabit networks

Abstract: IPsec is a suite of protocols that adds security to communications at the IP level. However, the high computing power required by the IPsec algorithms limits network connection performance. The paper presents the hardware implementation of IPsec gateway in FPGA. Efficiency of the proposed solution allows to use it in networks with data rates of several Gbit/s.

LTE-WLAN aggregation (LWA) in 3GPP Release 13 & Release 14

Abstract: Integrating different radio access technologies (RATs) is one effective method to meet the demand to provide ever increasing data rates to the users. For integrating LTE and WLAN in particular, the purpose is to enhance the operators control of when the UE uses WLAN. Another aim, in addition to better network control on which RAT is used, is the possible data aggregation which enables simultaneous utilization of both resources. In this paper, we present LTE-WLAN Aggregation (LWA) as specified in 3GPP and compare it to the LTE-WLAN Radio Level Integration with IPsec tunnel (LWIP), also specified in 3GPP. In addition, we provide simulation results comparing the schemes in an example scenario.

Advanced real time RFID mutual authentication protocol using dynamically updated secret value through encryption and decryption process

Abstract: Radio Frequency Identification (RFID) Technology is growing popular in wireless communications. It can be used easily for security purposes using authentication protocol. In the literature, researchers proposed different types of RFID based authentication protocols to ensure security and privacy. RFID technology is used in IoT (Internet of things) for real time authentication like access control in offices, homeland security, and transportation and also in defense and sensitive medical organizations. In this paper we proposed a hash based mutual authentication protocol that can dynamically update secret key value between tag and the reader. This protocol is secure and immune to different kinds of attacks.

Implementation of IPsec-VPN Tunneling using GNS3

Abstract: Virtual private networks (VPN) are used by remote clients to securely connect to company networks This paper deals with Site-to-site IPsec-VPN that connects the company intranets IPsec-VPN network is implemented with security protocols for key management and exchange, authentication and integrity which implemented using GNS3 Network simulator The testing, verification analyzing of data packets of the network is done using both PING tool and Wireshark

Security and reliability analysis of a use case in smart grid substation automation systems

Abstract: Substation automation systems provide high level of automation for both substation and distribution network. Communication in modern substation automation systems is based on Ethernet, TCP/IP and interoperable protocols within standard network infrastructure. Communication security and reliability become important and must be considered to ensure correct operation of substation automation systems. This paper presents an experimental lab setup in which IEC6180 standard is applied for substation communication. Designing substation LAN with Parallel Redundancy Protocol and programming proxy server supporting Transport Layer Security are proposed for reliability and security of the substation data network, respectively. Also, substation remote communication security is evaluated by testing two communication standards (IEC60870-5-104 and OPC UA) and two types of VPN: PPTP and IPsec. Test results are compared and the most secure solution is proposed. Securing remote communication assures reliable operation of the substation in the distribution network.

Distributed quality-of-service (QoS) in an overlay network using capacity enforcement

Abstract: The techniques herein provide for enhanced overlay network-based transport of traffic, such as IPsec traffic, e.g., to and from customer branch office locations, facilitated through the use of the Internet-based overlay routing infrastructure. This disclosure in particular describes a method of managing and enforcing quality-of-service (QoS) in an Internet-based overlay network shared by a set of content provider customer entities. For each entity having a customer branch, the customer branch is coupled to the Internet-based overlay routing network. A quality-of-service (QoS) policy is configured for the customer. According to the method, utilization of the Internet-based overlay network against the configured QoS policy is then monitored. The QoS is then enforced for the customer and at least one other customer, based in part on the QoS policies.

Persistent data communication sessions across WAN

Abstract: Instead of specifying actual transport layer IP addresses as a basis for a secure tunnel's security association, an approach described herein specifies virtual addresses. Then suitable network appliances intercept and modify packets in order to map between the virtual addresses and actual addresses. The virtual addresses satisfy IPsec or another authentication procedure that checks packets using the security association. The actual addresses are used by transport layer protocols. This overlay approach permits a session to failover from one network connection to another without requiring restoration of the session in a newly created secure tunnel after one of the network interfaces becomes unavailable, thereby obsoleting the security association based in part on the IP address of the now unavailable interface. This innovative approach also allows the use of parallel paths and the use of one-to-many or many-to-one path topologies, which would otherwise not be permitted.

IPsec and IKE as Functions in SDN Controlled Network

Abstract: Currently IPsec performance in high-speed networks is problematic. Traditionally the connections are established between some multifunction network devices which are typically inefficient already in 10 Gbps packet delivery and do not have high-availability nor scalability features. In the Software-Defined Networking, packets only travel through the desired dedicated networking devices. However, few high-speed stand-alone IPsec solutions exists that can be hooked up with the SDN. In this paper we propose a design which will utilize the IPsec in SDN fashion by separating IKE and packet encryption. Experimental results show that high-availability and scalability goals are reached and per-client throughput is increased. The IPsec protocol suite can thus face the on-going need for faster packet processing rate.