Post on 22-Aug-2020
10/08/2002 ECE697J Fall '02, Active Network 1
Strong Security for Active NetworksStrong Security for Active Networks
S. Murphy, E. Lewis, R. Puga, R. Watson and R. Yee
Presenter: Jianhong Xia10/08/2002
10/08/2002 ECE697J Fall '02, Active Network 2
How Strong Security IsHow Strong Security IsÜ End-End authentication and integrity
protectionÜ Authorization information carried by active
packet itself.Enforcement of each node’s authorization policy End user controls over access of its own stateNode policy takes precedence over active code policy
10/08/2002 ECE697J Fall '02, Active Network 3
OutlineOutlineÜ BackgroundÜ Security RequirementsÜ Trust Model/ChallengesÜ SANTS
ComponentsAuthenticationAuthorization
Ü Security ArchitectureÜ Conclusion
10/08/2002 ECE697J Fall '02, Active Network 4
Active Networks SecurityActive Networks Security
Active Packet New Active Packet
Active Network Node
--- from S. Murphy’s slides
10/08/2002 ECE697J Fall '02, Active Network 5
BackgroundBackgroundÜ Features of Active Network
Rapid deployment of new network servicesComplex computations to be performed on packets
Ü But, Security ConcernsNetwork operatorsEnd users
10/08/2002 ECE697J Fall '02, Active Network 6
Active Networks Node ArchitectureActive Networks Node Architecture
In-channels Out-channels Persistent store
NodeOS
EE1 EE2ExecutionEnvironments
ActiveApplications
--- from S. Murphy’s slides
10/08/2002 ECE697J Fall '02, Active Network 7
Security RequirementsSecurity RequirementsÜ Need to protect
End users, Active Node, EE, Active Code/DomainÜ End User’s security concerns
authenticity, integrity and confidentialityÜ Active Node/EE’s security concerns
authorization of use of its services and resourcesintegrity and confidentiality of its own state
Ü Active Code’s security concernsaccess to its services and sharable persistent states
10/08/2002 ECE697J Fall '02, Active Network 8
Trust Model --- End User ViewpointTrust Model --- End User Viewpoint
ÜWould rather not trust active nodes, EEsand other active codes
Ü So, End-End Cryptographic protectionsProtect its own data from active node and EEBut limit the network services in active node
Ü Expected FeaturesEnable end users to choose trusted nodes/EEsAvoid transmitting the packet to untrusted nodes/EEs
10/08/2002 ECE697J Fall '02, Active Network 9
Trust Model --- Node ViewpointTrust Model --- Node Viewpoint
ÜWould rather not trust EEs, active codes, arriving packets
Ü Control over the allocation of resources and privileges to an EE’s domain
Ü Balance the trust it holds in an EEÜ Control the threat from active code Ü countering clogging attacks from arriving
packets is another research area.
10/08/2002 ECE697J Fall '02, Active Network 10
Trust Model --- EE ViewpointTrust Model --- EE Viewpoint
ÜWould rather not trust active codes and arriving packets
ÜControl the threat from active codesÜRely on the node to enforce the EE’s
policy governing acceptance of arriving packets
10/08/2002 ECE697J Fall '02, Active Network 11
Trust Model --- Active Code ViewpointTrust Model --- Active Code Viewpoint
ÜWould rather not trust Active node,EEs and other active codes
ÜActive code must trust the nodes and EE’s on/in which it executes
ÜAvoid those it does not trustÜEnforce its policy to avoid potential
attacks from other active codes
10/08/2002 ECE697J Fall '02, Active Network 12
Protection TechniquesProtection Techniques
ÜTwo ApproachesLanguage based– Limit the possible actions of programs– Low cost technique with a large payoff
Authorization based– Associate a principal with each request for
an action – Enforce a policy that states which principals
are permitted to perform which actions
10/08/2002 ECE697J Fall '02, Active Network 13
Authentication ChallengesAuthentication Challenges
ÜIdentification of the principal itself in active networks
Multiple and varying principal identities or attributes
ÜChoice of an authentication mechanismHop-Hop protectionsSymmetric/Asymmetric techniques
10/08/2002 ECE697J Fall '02, Active Network 14
SANTSSANTS
ÜSecurity ANTSÜPrototype a secure active network
Authorization enforcement– nodes, EE’s and active code
Integrity protection– packets
Distributed authentication mechanism– Retrieval of identities and attributes– Dynamic assignment of attributes
10/08/2002 ECE697J Fall '02, Active Network 15
ComponentsComponentsÜ Authentication
X.509v3 certificatesDNSSECJava Crypto API KeyNote policy system
Ü AuthorizationJava 2 security features, class loaderA separation between EE and Node ClassesA shared data capability, Bulletin Board
10/08/2002 ECE697J Fall '02, Active Network 16
AuthenticationAuthentication
ÜHop-HopHMAC-SHA1 integrity protection
ÜEnd-EndDigital signature for authentication and integrity protection
10/08/2002 ECE697J Fall '02, Active Network 17
Authentication IssuesAuthentication IssuesGeneral Crypto Protected Packet
SANTS Protected Packet
header static (code & data) variable data credential(s) digital signature
hop-hop integrity
header payloadidentity protection
10/08/2002 ECE697J Fall '02, Active Network 18
SANTS AuthenticationSANTS AuthenticationÜ Strong End-End Authentication
Digital SignaturesProtection applies to static areas only
Ü Hop-Hop IntegrityHMAC-SHA1Protection Applies to entire packet
Ü Distributed Security InfrastructureX.509 Certificates stored in DNS CERT recordsAccess uses DNSSEC
10/08/2002 ECE697J Fall '02, Active Network 19
SANTS AuthorizationSANTS AuthorizationÜ Authorization Control at the NodeOS Level
Policy Manager in the NodeOSPolicy manager exposed
– To EE– To Active Packet
Ü Authorization Based on Security Attributes
Carried in X.509 Certificates
10/08/2002 ECE697J Fall '02, Active Network 20
Bulletin BoardBulletin Board
ÜActive packet travel through the network encountering different administration with their own policies.
ÜEE provides a Bulletin Board shared data service to incoming active code.
10/08/2002 ECE697J Fall '02, Active Network 21
Security ArchitectureSecurity Architecture
ÜIncludes:NamingPacket FormatPolicy LanguageSecurity Support SystemEnforcement Architecture
10/08/2002 ECE697J Fall '02, Active Network 22
Security ArchitectureSecurity Architecture
ÜComponents should be placed inNodeOS
ÜDomain creation NodeOS call must include an authentication policy and an access control policy.
10/08/2002 ECE697J Fall '02, Active Network 23
Security Processing in NodeOSSecurity Processing in NodeOSÜ Receive packetÜ Verify hop-hop integrityÜ Assign packet to existing domainÜ Extract credential listÜ Check credentials authenticity according to
authentication policy for the domainÜ Check credentials against access control policy for
domainÜ Deliver entire packet to the domain, including the
credentials, authentication protection fields, etc
10/08/2002 ECE697J Fall '02, Active Network 24
Security processing in the EESecurity processing in the EEÜ Receive a packet including credentialsÜ Create a sub-domain, providing
security context parameters access control and authentication policies
Ü Modifyaccess control policy, authentication policysecurity context
Ü Add or remove cryptographic protections to user data
10/08/2002 ECE697J Fall '02, Active Network 25
ConclusionConclusion
ÜSANTS does provide strong securityFine Grained AuthorizationStrong End-End AuthenticationDynamic Policies
ÜToo Complicated, is it worthy to apply?