strong security for active networks€¦ · 10/08/2002 ece697j fall '02, active network 8...
TRANSCRIPT
![Page 1: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/1.jpg)
10/08/2002 ECE697J Fall '02, Active Network 1
Strong Security for Active NetworksStrong Security for Active Networks
S. Murphy, E. Lewis, R. Puga, R. Watson and R. Yee
Presenter: Jianhong Xia10/08/2002
![Page 2: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/2.jpg)
10/08/2002 ECE697J Fall '02, Active Network 2
How Strong Security IsHow Strong Security IsÜ End-End authentication and integrity
protectionÜ Authorization information carried by active
packet itself.Enforcement of each node’s authorization policy End user controls over access of its own stateNode policy takes precedence over active code policy
![Page 3: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/3.jpg)
10/08/2002 ECE697J Fall '02, Active Network 3
OutlineOutlineÜ BackgroundÜ Security RequirementsÜ Trust Model/ChallengesÜ SANTS
ComponentsAuthenticationAuthorization
Ü Security ArchitectureÜ Conclusion
![Page 4: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/4.jpg)
10/08/2002 ECE697J Fall '02, Active Network 4
Active Networks SecurityActive Networks Security
Active Packet New Active Packet
Active Network Node
--- from S. Murphy’s slides
![Page 5: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/5.jpg)
10/08/2002 ECE697J Fall '02, Active Network 5
BackgroundBackgroundÜ Features of Active Network
Rapid deployment of new network servicesComplex computations to be performed on packets
Ü But, Security ConcernsNetwork operatorsEnd users
![Page 6: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/6.jpg)
10/08/2002 ECE697J Fall '02, Active Network 6
Active Networks Node ArchitectureActive Networks Node Architecture
In-channels Out-channels Persistent store
NodeOS
EE1 EE2ExecutionEnvironments
ActiveApplications
--- from S. Murphy’s slides
![Page 7: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/7.jpg)
10/08/2002 ECE697J Fall '02, Active Network 7
Security RequirementsSecurity RequirementsÜ Need to protect
End users, Active Node, EE, Active Code/DomainÜ End User’s security concerns
authenticity, integrity and confidentialityÜ Active Node/EE’s security concerns
authorization of use of its services and resourcesintegrity and confidentiality of its own state
Ü Active Code’s security concernsaccess to its services and sharable persistent states
![Page 8: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/8.jpg)
10/08/2002 ECE697J Fall '02, Active Network 8
Trust Model --- End User ViewpointTrust Model --- End User Viewpoint
ÜWould rather not trust active nodes, EEsand other active codes
Ü So, End-End Cryptographic protectionsProtect its own data from active node and EEBut limit the network services in active node
Ü Expected FeaturesEnable end users to choose trusted nodes/EEsAvoid transmitting the packet to untrusted nodes/EEs
![Page 9: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/9.jpg)
10/08/2002 ECE697J Fall '02, Active Network 9
Trust Model --- Node ViewpointTrust Model --- Node Viewpoint
ÜWould rather not trust EEs, active codes, arriving packets
Ü Control over the allocation of resources and privileges to an EE’s domain
Ü Balance the trust it holds in an EEÜ Control the threat from active code Ü countering clogging attacks from arriving
packets is another research area.
![Page 10: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/10.jpg)
10/08/2002 ECE697J Fall '02, Active Network 10
Trust Model --- EE ViewpointTrust Model --- EE Viewpoint
ÜWould rather not trust active codes and arriving packets
ÜControl the threat from active codesÜRely on the node to enforce the EE’s
policy governing acceptance of arriving packets
![Page 11: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/11.jpg)
10/08/2002 ECE697J Fall '02, Active Network 11
Trust Model --- Active Code ViewpointTrust Model --- Active Code Viewpoint
ÜWould rather not trust Active node,EEs and other active codes
ÜActive code must trust the nodes and EE’s on/in which it executes
ÜAvoid those it does not trustÜEnforce its policy to avoid potential
attacks from other active codes
![Page 12: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/12.jpg)
10/08/2002 ECE697J Fall '02, Active Network 12
Protection TechniquesProtection Techniques
ÜTwo ApproachesLanguage based– Limit the possible actions of programs– Low cost technique with a large payoff
Authorization based– Associate a principal with each request for
an action – Enforce a policy that states which principals
are permitted to perform which actions
![Page 13: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/13.jpg)
10/08/2002 ECE697J Fall '02, Active Network 13
Authentication ChallengesAuthentication Challenges
ÜIdentification of the principal itself in active networks
Multiple and varying principal identities or attributes
ÜChoice of an authentication mechanismHop-Hop protectionsSymmetric/Asymmetric techniques
![Page 14: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/14.jpg)
10/08/2002 ECE697J Fall '02, Active Network 14
SANTSSANTS
ÜSecurity ANTSÜPrototype a secure active network
Authorization enforcement– nodes, EE’s and active code
Integrity protection– packets
Distributed authentication mechanism– Retrieval of identities and attributes– Dynamic assignment of attributes
![Page 15: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/15.jpg)
10/08/2002 ECE697J Fall '02, Active Network 15
ComponentsComponentsÜ Authentication
X.509v3 certificatesDNSSECJava Crypto API KeyNote policy system
Ü AuthorizationJava 2 security features, class loaderA separation between EE and Node ClassesA shared data capability, Bulletin Board
![Page 16: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/16.jpg)
10/08/2002 ECE697J Fall '02, Active Network 16
AuthenticationAuthentication
ÜHop-HopHMAC-SHA1 integrity protection
ÜEnd-EndDigital signature for authentication and integrity protection
![Page 17: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/17.jpg)
10/08/2002 ECE697J Fall '02, Active Network 17
Authentication IssuesAuthentication IssuesGeneral Crypto Protected Packet
SANTS Protected Packet
header static (code & data) variable data credential(s) digital signature
hop-hop integrity
header payloadidentity protection
![Page 18: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/18.jpg)
10/08/2002 ECE697J Fall '02, Active Network 18
SANTS AuthenticationSANTS AuthenticationÜ Strong End-End Authentication
Digital SignaturesProtection applies to static areas only
Ü Hop-Hop IntegrityHMAC-SHA1Protection Applies to entire packet
Ü Distributed Security InfrastructureX.509 Certificates stored in DNS CERT recordsAccess uses DNSSEC
![Page 19: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/19.jpg)
10/08/2002 ECE697J Fall '02, Active Network 19
SANTS AuthorizationSANTS AuthorizationÜ Authorization Control at the NodeOS Level
Policy Manager in the NodeOSPolicy manager exposed
– To EE– To Active Packet
Ü Authorization Based on Security Attributes
Carried in X.509 Certificates
![Page 20: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/20.jpg)
10/08/2002 ECE697J Fall '02, Active Network 20
Bulletin BoardBulletin Board
ÜActive packet travel through the network encountering different administration with their own policies.
ÜEE provides a Bulletin Board shared data service to incoming active code.
![Page 21: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/21.jpg)
10/08/2002 ECE697J Fall '02, Active Network 21
Security ArchitectureSecurity Architecture
ÜIncludes:NamingPacket FormatPolicy LanguageSecurity Support SystemEnforcement Architecture
![Page 22: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/22.jpg)
10/08/2002 ECE697J Fall '02, Active Network 22
Security ArchitectureSecurity Architecture
ÜComponents should be placed inNodeOS
ÜDomain creation NodeOS call must include an authentication policy and an access control policy.
![Page 23: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/23.jpg)
10/08/2002 ECE697J Fall '02, Active Network 23
Security Processing in NodeOSSecurity Processing in NodeOSÜ Receive packetÜ Verify hop-hop integrityÜ Assign packet to existing domainÜ Extract credential listÜ Check credentials authenticity according to
authentication policy for the domainÜ Check credentials against access control policy for
domainÜ Deliver entire packet to the domain, including the
credentials, authentication protection fields, etc
![Page 24: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/24.jpg)
10/08/2002 ECE697J Fall '02, Active Network 24
Security processing in the EESecurity processing in the EEÜ Receive a packet including credentialsÜ Create a sub-domain, providing
security context parameters access control and authentication policies
Ü Modifyaccess control policy, authentication policysecurity context
Ü Add or remove cryptographic protections to user data
![Page 25: Strong Security for Active Networks€¦ · 10/08/2002 ECE697J Fall '02, Active Network 8 Trust Model -----End User ViewpointEnd User ViewpointÜWould rather not trust active nodes,](https://reader036.vdocuments.mx/reader036/viewer/2022071016/5fcf663a056a00215b0ebd23/html5/thumbnails/25.jpg)
10/08/2002 ECE697J Fall '02, Active Network 25
ConclusionConclusion
ÜSANTS does provide strong securityFine Grained AuthorizationStrong End-End AuthenticationDynamic Policies
ÜToo Complicated, is it worthy to apply?