Initial connection setup. Adding subflow setup. Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B)

Similar documents
Internet Engineering Task Force Internet-Draft Obsoletes: 6824 (if approved)

Securing MultiPath TCP: Design & Implementation

MPTCP: Design and Deployment. Day 11

Transport Level Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Making Multipath TCP friendlier to Load Balancers and Anycast

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Internet Engineering Task Force (IETF) Request for Comments: 7430 Category: Informational. F. Gont SI6 Networks / UTN-FRH O. Bonaventure.

(2½ hours) Total Marks: 75

The case for ubiquitous transport-level encryption

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

CSCE 715: Network Systems Security

Securing IoT applications with Mbed TLS Hannes Tschofenig Arm Limited

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Network Security. Thierry Sans

Real-time protocol. Chapter 16: Real-Time Communication Security

PROTECTING CONVERSATIONS

0-RTT TCP Convert Protocol

MultiPath TCP : Linux Kernel implementation

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Chapter 4: Securing TCP connections

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Improving Multipath TCP. PhD Thesis - Christoph Paasch

Securing Internet Communication: TLS

Chapter 8 Web Security

WAP Security. Helsinki University of Technology S Security of Communication Protocols

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Concrete cryptographic security in F*

Multipath Transport for Virtual Private Networks

Overview. SSL Cryptography Overview CHAPTER 1

OpenSSH. 24th February ASBL CSRRT-LU (Computer Security Research and Response Team Luxembourg) 1 / 12

Multipath TCP Congestion Control

Displaying SSL Configuration Information and Statistics

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

CS November 2018

IPSec. Slides by Vitaly Shmatikov UT Austin. slide 1

Cryptography and secure channel. May 17, Networks and Security. Thibault Debatty. Outline. Cryptography. Public-key encryption

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CMSC 414 S09 Exam 2 Page 1 of 6 Name:

Firewalls, Tunnels, and Network Intrusion Detection

CS 494/594 Computer and Network Security

Digital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)

A proposal for MPTCP Robust session Establishment (MPTCP RobE) enable full multipath capability for MPTCP Markus Amend, Eckard Bogenfeld, Andreas

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

Security Handshake Pitfalls

David Wetherall, with some slides from Radia Perlman s security lectures.

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

CSCE 813 Internet Security Final Exam Preview

ARP, IP, TCP, UDP. CS 166: Introduction to Computer Systems Security 4/7/18 ARP, IP, TCP, UDP 1

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Prof. Shervin Shirmohammadi SITE, University of Ottawa. Security Architecture. Lecture 13: Prof. Shervin Shirmohammadi CEG

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

CSE/EE 461 Lecture 13 Connections and Fragmentation. TCP Connection Management

Technological foundation

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

CSC 6575: Internet Security Fall 2017

Exploring Alternative Routes Using Multipath TCP

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

Security Handshake Pitfalls

Network Security Chapter 8

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

HOST Authentication Overview ECE 525

IPSec Transform Set Configuration Mode Commands

Communications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage

Quick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003

Summary on Crypto Primitives and Protocols

14. Internet Security (J. Kurose)

Transport Layer Security

A SIMPLE INTRODUCTION TO TOR

Protocol Comparisons: OpenSSH, SSL/TLS (AT-TLS), IPSec

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Transport Layer Review

Implementing Cryptography: Good Theory vs. Bad Practice

CONTENTS. vii. Chapter 1 TCP/IP Overview 1. Chapter 2 Symmetric-Key Cryptography 33. Acknowledgements

CSC/ECE 774 Advanced Network Security

8. Network Layer Contents

Internet Protocol and Transmission Control Protocol

Introduction and Overview. Why CSCI 454/554?

CSE 123A Computer Netwrking

Outline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack

Washington State University CptS 455 Sample Final Exam (corrected 12/11/2011 to say open notes) A B C

Lecture 1 Applied Cryptography (Part 1)

Key Management and Distribution

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

The Secure Shell (SSH) Protocol

Multipath TCP. Decoupled from IP, TCP is at last able to support multihomed hosts

Securing Internet Communication

Internet security and privacy

Authenticated Encryption in TLS

CSE 127: Computer Security Cryptography. Kirill Levchenko

Cryptography and Network Security

Proving who you are. Passwords and TLS

IPSec Transform Set Configuration Mode Commands

Transcription:

- 2 - Despite the short history, Multipath TCP(MPTCP) prevails drastically As MPTCP was deployed, security concerns increase There have been multiple attempts at verifications to security of MPTCP Initial eavesdropper breaches the primary security goal of MPTCP We need new solution for initial eavesdropper! LTE-A 300 Mbps GIGA LTE GIGA WIFI 867 Mbps GIGA LTE 1.17 Gbps

- 3 - Address A1 Host A Address A2 Host B Address B1 Initial connection setup Three-way handshake with MP_CAPABLE Exchange 64 bit key(key-a, Key-B) SYN + MP_CAPABLE(Key-A) SYN/ACK + MP_CAPABLE(Key-B) ACK + MP_CAPABLE(Key-A, Key-B) Adding subflow setup Three-way handshake with MP_JOIN Authentication through Token and HMAC Token : most significant 32 bits of SHA1 output with Key-B as a message of hash SYN + MP_JOIN(Token-B, R-A) SYN/ACK + MP_JOIN(Auth-B, R-B) ACK + MP_JOIN(Auth-A)

- 4 - Initial connected host should be a intended host If other host? TCP Session hijacking, not MPTCP problem This assumption is good for using weak authentication Weak authentication verify that corresponding host is the one who was in initial handshake Weak authentication cannot guarantee corresponding host s identity There are no CAs or trusted third parties

- 5 - Eavesdropper in the Initial Handshake(EitIH) Has ability to eavesdrop shared keys in initial connection setup Shared keys transmit in plaintext Related Solutions Hash Chains MPTCP-SSL(MPTLS) TLS over the TCP Tcpcrypt(SMPTCP) RSA Diffie-Hellman Exchange through four additional packets after initial handshake Encrypt IP datagram

- 6 - MPTLS makes shared key using TLS MPTLS needs TLS handshake Inherit the overhead of TLS Additional one-way message delay At least, four one-way delay for TLS Host A Address A1 Address A2 SYN + MP_CAPABLE SYN/ACK + MP_CAPABLE ACK + MP_CAPABLE Host B Address B1 Make TLS session to make shared key SYN + MP_JOIN(Token-B, R-A) SYN/ACK + MP_JOIN(Auth-B, R-B) ACK + MP_JOIN(Auth-A)

- 7 - SMPTCP uses Tcpcrypt Tcpcrypt is low-overhead asymmetric key exchange protocol using TCP option To reduce the overhead for TLS handshake SMPTCP still has overhead Combine two protocol, double option header One additional one-way delay Host A Host B Address A1 Address A2 Address B1 SYN + MP_CAPABLE + Crypt/Hello SYN/ACK + MP_CAPABLE + Crypt/PKconf ACK + Crypt/INIT + Crypto parameters in payload Crypt/INIT + Crypto parameters SYN + MP_JOIN(Token-B, R-A) SYN/ACK + MP_JOIN(Auth-B, R-B) ACK + MP_JOIN(Auth-A)

- 8 - Each host makes hash-chain H-0(A), H-1(A),, H-n(A) H-0(B), H-1(B),, H-n(B) H-n-1 = Hash (H-n) Reveal in reverse order Based on one-way property of hash Weak authentication Host A Address A1 Address A2 SYN + MP_CAPABLE(H-0(A)) SYN/ACK + MP_CAPABLE(H-0(B)) ACK + MP_CAPABLE SYN + MP_JOIN(H-1(A)) SYN/ACK + MP_JOIN(H-1(B)) ACK Host B Address B1

- 9 - In asymmetric manners, overhead is too big Large space for TLS handshake or tcpcrypt Additional one-way message delays In other methods, security is not enough We need more efficient and more secure protocol!

- 10 - Only guarantee integrity of initial handshake NOT provide confidentiality Eavesdropper does not modify the connection Eavesdropper can get every information to bypass authentication Solution : Asymmetric key exchange! If we can guarantee the corresponding host

- 11 - MPTCP uses TCP option for compatibility to previous system TCP header length has maximum length of 60 bytes Except for basic header(20 byte), only for option? Maximum 40 byte Except for option header(8 byte), only 32 bytes are available Solution : Parameter Minimizing(optimizing)! To squeeze public parameters into a limited space

- 12 - In internet nature, there are a lot of short connection Short connection : TCP connection which has short lifetime Short connections do not need subflows Data are already sent through initial connection Establishing and terminating subflows cause the degrade of total throughput Solution : Delayed initiation In case of short connection, MPTCP does not make subflows

- 13 - Use asymmetric key exchange To block eavesdropper Minimize public parameters Limit algorithm and key size Minimize overhead for Initial handshake Can not distinguish which protocols will be used Reduce overhead for short connection Host A Host B Address A1 Address A2 Address B1 SYN + MP_CAPABLE(A s x point) ACK + MP_CAPABLE(B s x point) SYN + MP_CAPABLE(A s y point) ACK + MP_CAPABLE(B s y point) SYN + MP_JOIN(Token-B, HMAC-Token, Address ID, R-A) SYN/ACK + MP_JOIN(Auth-B, R-B) ACK + MP_JOIN(Auth-A)

- 14 - Valid token in SYN+MP_JOIN makes the host turn into a receiving state Token reuses in same MPTCP session Eavesdrop once, reuse until the end of session Or, just guessing. It is only 32-bit Limited number of half-open state Use different five tuple Host A Host B Address A1 Address A2 Address B1 SYN + MP_CAPABLE(A s x point) ACK + MP_CAPABLE(B s x point) SYN + MP_CAPABLE(A s y point) ACK + MP_CAPABLE(B s y point) SYN + MP_JOIN(Token-B, HMAC-Token, Address ID, R-A) SYN/ACK + MP_JOIN(Auth-B, R-B) ACK + MP_JOIN(Auth-A)

- 15 - Hosts may want to advertise their address When host could not initiate the connection due to the middleboxes Address advertisement Host A sends ADD_ADDR option with residue addresses(a2) Host B initiates subflow handshake to A2 Finish subflow handshake Host A Host B Address A1 Address A2 Address B1 Initial Connection Setup ADD_ADDR(Address A2, Address ID) SYN + MP_JOIN(Token-A, R-B) SYN/ACK + MP_JOIN(Auth-A, R-A) ACK + MP_JOIN(Auth-B)

- 16 - Attacker sends fake ADD_ADDR Host B sends Token-A, HMAC to Attacker DoS Attack on MP_JOIN Attacker knows the valid token Host A Darth Address A1 Address A2 Address D1 Initial Connection Setup Host B Address B1 MPTCP v1 modifies ADD_ADDR ADD_ADDR includes HMAC However, EitIH knows the key for MAC Fake ADD_ADDR(Address D1, Address ID) DoS Attack on MP_JOIN(Token-A) SYN + MP_JOIN(Token-A, R-B)

- 17 - Asymmetric key exchange makes shared key without key exposure Symmetric key exchange reveals shared key Using the shared key, data encryption is possible Two use cases of shared key Only for authentication Datagram encryption

- 18 -

- 19 - Deliverable Three design consideration Secure Design for EitIH model Discussion Scalability Issue - Limited algorithm and key size Empirical evaluation Omitted computation overhead Future Work Real kernel implementation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback