Presentation is loading. Please wait.

Presentation is loading. Please wait.

Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan. 2009 - July 2009) Department of.

Similar presentations


Presentation on theme: "Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan. 2009 - July 2009) Department of."— Presentation transcript:

1 Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan July 2009) Department of Computer Science and CERIAS Purdue University

2 Jeffrey SeibertSERC Fall 2009 Showcase3 Security Goals for Network Protocols  Confidentiality  Authentication  Integrity  Non-repudiation  Access control  Availability  Replay protection A network protocol defines rules: - Syntax (how) - Semantics (what) - Synchronization (when)

3 Jeffrey SeibertSERC Fall 2009 Showcase4 Communication Patterns  Point-to-point  One-to-many  Many-to-one  Many-to-many  Reliable communication  Unreliable communication

4 Jeffrey SeibertSERC Fall 2009 Showcase5 Menu of Secure Protocols  Authentication+integrity+ confidentiality IPSEC: IP routing layer SSL/TLS: transport for reliable communication DTLS: transport for unreliable communication  Kerberos: access control for network services

5 Jeffrey SeibertSERC Fall 2009 Showcase6 The Problem  The available set of secure protocols and the services they provide do not match the security and performance requirements of various applications ``One solution fits all’’ is not good enough

6 Jeffrey SeibertSERC Fall 2009 Showcase7 The Goals of This Project  Identify specific security goals for Double -Take Software protocols  Customize to meet performance and management requirements  Integrate the protocol with their product

7 Jeffrey SeibertSERC Fall 2009 Showcase8 Customizable Features  Key management  Authentication + integrity  Authentication + integrity + confidentiality

8 Jeffrey SeibertSERC Fall 2009 Showcase9  End-to-end secure channel, providing: confidentiality, integrity, authentication, replay protection  Defines how the characteristics of the channel are negotiated: key establishment, encryption cipher, authentication mechanism  Requires reliable end-to-end protocol, so it runs on top of TCP  Several popular open source implementations (www.openssl.org) Overview of TLS

9 Jeffrey SeibertSERC Fall 2009 Showcase10 TLS: Protocol Architecture Authentication, Confidentiality Integrity come as a package

10 Jeffrey SeibertSERC Fall 2009 Showcase11 Our Approach  Leverage TLS to provide a wider menu choice of services and cryptographic algorithms: Integrity only Integrity + authentication Integrity + authentication + confidentiality  Evaluation of cost of each service for all protocol choices

11 Jeffrey SeibertSERC Fall 2009 Showcase12 Why OpenSSL  Long development history  Good performance  Allows immediate support of all cryptographic protocols supported by OpenSSL  For example: Hash: MD5, SHA1, SHA256 Digital signatures: RSA, DSA, ECC Symmetric encryption: 3DES, Blowfish, RC4, AES

12 Jeffrey SeibertSERC Fall 2009 Showcase13  We implemented a new interface based on OpenSSL  Platform: Intel(R) Pentium(R) 4 CPU 3.4 GHz GenuineIntel GNU/Linux  Two computers in a 1Gbps LAN  Evaluate: Throughput Handshake latency Experimental Evaluation Platform

13 Jeffrey SeibertSERC Fall 2009 Showcase14 Integrity-Only

14 Jeffrey SeibertSERC Fall 2009 Showcase15 Confidentiality and Data Integrity:RC4

15 Jeffrey SeibertSERC Fall 2009 Showcase16 Confidentiality and Data Integrity: AES128

16 Jeffrey SeibertSERC Fall 2009 Showcase17 Confidentiality and Data Integrity:AES256

17 Jeffrey SeibertSERC Fall 2009 Showcase18 Confidentiality and Data Integrity: Blowfish

18 Wide Area Network Experiments  Transfer data between hosts at Purdue University and Washington University Purdue University: Intel(R) Pentium(R) 4 CPU 3.4 GHz GenuineIntel GNU/Linux Washington University: Intel(R) Pentium(R) 4 CPU 3.2 GHz GenuineIntel GNU/Linux  Attempt to push as much data as possible over Internet  Evaluate: Throughput Handshake latency Jeffrey SeibertSERC Fall 2009 Showcase19

19 Jeffrey SeibertSERC Fall 2009 Showcase20 Integrity-Only (WAN)

20 Jeffrey SeibertSERC Fall 2009 Showcase21 Confidentiality and Data Integrity:RC4 (WAN)

21 Jeffrey SeibertSERC Fall 2009 Showcase22 Confidentiality and Data Integrity: AES128 (WAN)

22 Jeffrey SeibertSERC Fall 2009 Showcase23 Confidentiality and Data Integrity:AES256 (WAN)

23 Jeffrey SeibertSERC Fall 2009 Showcase24 Confidentiality and Data Integrity: Blowfish (WAN)

24 Jeffrey SeibertSERC Fall 2009 Showcase25 Handshake Protocol

25 Jeffrey SeibertSERC Fall 2009 Showcase26 Handshake Configurations  RSA (1024) Key exchange and message signing are done with RSA  ECDH-ECDSA (161) Key exchange is done with ECDH Message signing is done with ECDSA  ADH (1024) Key exchange is done with DH No message signing is done  DH-DSA (1024) Key exchange is done with DH Message signing is done with DSA

26 Jeffrey SeibertSERC Fall 2009 Showcase27 TLS Handshake

27 Jeffrey SeibertSERC Fall 2009 Showcase28 TLS Handshake (WAN)

28 Jeffrey SeibertSERC Fall 2009 Showcase29 Summary  Security comes at a cost: Complexity Communication cost Computation cost  Trade-offs between performance, security goals, and manageability  Customized secure protocols Leveraging existing protocols Meet performance and management requirements

29 Jeffrey SeibertSERC Fall 2009 Showcase30  We are looking forward to other practical projects where we can contribute our expertise in secure messaging systems (resilient to outsiders and insiders) Replication systems Unicast and multicast routing in wireless networks Group communication systems P2P streaming and multicast overlays


Download ppt "Customized Network Security Protocols Cristina Nita-Rotaru and Jeffrey Seibert SPONSORED BY DOUBLE-TAKE SOFTWARE (Jan. 2009 - July 2009) Department of."

Similar presentations


Ads by Google