secure services

8/10/2019 Secure Services

1/22

T-110.7190 Research Seminar on telecom software/29.11.2005/LB

HIP Secure Service Discovery

Leo Bhebhe

Helsinki University of TechnologyDepartment Of Computer Science

[email protected]@[email protected]@nokia.com


2/22


CONTENTS

Introduction

Services

Service Discovery System

Service Discovery Protocols

Service Discovery mechanism

Security Concerns

Host Identity Protocol

Name Resolution

Secure-i3

HI3 Shortcoming of HIP

Conclusion


3/22


Introduction

What is a service?

A service is a component or application that performs the work on behalf of arequesting application or client


4/22


Services Offered by networks in distributed systems, e.g. those offered by

printers,

copiers,

scanners,

fax machines,

Internet service providers, e.g. conversational (e.g. voice over IP),

streaming (video+music),

interactive (e.g. gaming)

background (e.g. e-mail delivery)

Information services Nearest Pizza hut , weather forecast, todays flight schedule

Transport services in case of emergency (e.g. car break down, lost in the wild, coast guard

help, taxi)

Payment services

Etc


5/22


Service Discovery System

Allow users and their devices to discover services over any specific underlyingnetworking technology (e.g., cellular systems, wireless local area networks,DSL)

Independent of the underlying networking technologies so that it can supportheterogeneous and changing network technologies.

Not be limited to only the traditional client-server based systems.

May be realized using peer-to-peer technologies or a combination of client-

server and peer-to-peer technologies


6/22


SDPs & Security Features Solutions.

SLPv2 Jini UPnP Salutation Bluetooth

Message Encription Symetric(SSL/TLS)

Symetric

Key Exchange Asymetric(SSL/TLS) Plain text

AuthroizationDigital signitures

X.509Password

e.g. UPnP, SLP are built on top of the TCP/IP protocol stack


7/22


UPnP

Adding a waist to the protocol may give it some basic security

Physical

Link(Ethernet,PPP)

Network(IP)

Transport(TCP,UDP)

Application(HTTP,SMTP)

HTTP (extension)

UPnP API

Application

UPnP

Physical

Link(Ethernet,PPP)

Network(IP)

Transport(TCP,UDP)

Application(HTTP,SMTP)

Host Identity

e.g. UPnP, SLP are built on top of the TCP/IP protocol stack


8/22


Service Discovery Mechanism

Knowledge of services

Search for services involves two steps

DNS name resolution of end host

Contacting the host directly for data/service

Concern

DNS resolution time (typical resolution time O (log n)) Security: data integrity, i.e. no else can change the resolution of an entitys

name, DoS

Retrieval of data and service [Registration & authentication]

Secure data transmission or service provision


9/22


Security

The discovery function is a source of security concern

Security is an integral part of service discovery

Denial of service attacks (DOS) or distributed Denial of serviceattacks (DDOS)

Confidentiality and integrity in service discovery are primary forcommunication security

Security needs will vary from application to application


10/22


Host Identity Protocol

New cryptographic identifiers

Host Identities (Public key of a asymmetric key pair)

Host Identity Tags (128 bits) - A hash of the HI

IP addresses as locators

An authentication and key exchange protocol

IPsec ESP transport mode for data traffic security.


11/22


Bindings in the current and new architecture

Naming endpoints with HIs provide natural solutions for mobility and multipoint

If an endpoint identified by HI[i] changes its IP address, the host identity layer onthe peer of the endpoint will re-resolve HI[i] to find a new IP address.


12/22


HIP Base Exchange

I1: trigger exchange [HITI,HITR]

R1: HITR,HITI puzzle, DHR, PKR, Sig

I2: HITI, HITR, SPII, solution, DHI, {PKI}, Sig

R2: HITR,HITI,SPIR, Sig

ESP protected message

Initiator Responder


13/22


Name Resolution

Network

IPSec

HIP

Transport

Socket layer

Application Resolver

DNS

1.

2.

3.

4. 5. 6. ED [HI, Address]

HIs in the DNS

DNS query asks for addresses and HITs

Requires one to have a DNS name

HITs not resolvable due to name space being flat

DNS resolution time

Possible DoS Attacks (knowledge of DNS IP add)


14/22


HIP With Rendezvous Server

Mappings are registered at theDNS

Update of IP(R) at RVS, if IP(R)

changes

ReceiverInitiator

RVS

FQDN (R)->HI(R)

FQDN (R)->)->IP(RVS)

DNS

1.

QueryFQDN(R)

2.H

I(R),IP(RVS).

3.I1toIP(R

VS) 4. I1toIP(R)

5. R1

6. I2 to IP(R)

7. R2

HI(R)->IP(R)


15/22


Secure Internet Indirection Infrastructure (i3)

Add an efficient indirection layer on top of IP

Use an overlay network to implement it

Incrementally deployable; no need to change IP

When initiator acquires and ID from DNS, it sends the packets with the ID to theclosest i3 node.

The i3 nodes searches for the particular trigger (id, addr) and send the packets tothe receiver

IP router

i3 node

ID DATA

Data packet

ID ADDR

Trigger

ADDR=IP or [email protected]

initiator

receiver


16/22


DOS Prevention Mechanism (Secure-i3)

1. Send (pubid, data) to i3 server storing public key

2. i3 server storing public key sends (privid, data) to I3 server storing the private id

3. i3 server storing the private id send (R, data) to the receiver R

4. Receiver sends back to i3 server storing the private id (S, data) + privid

5. i3 server storing the private id sends to sender (S, data) + privid

6. The initiator then sends (privid, data) to I3 server storing the private id

7. i3 server storing the private id then forwards (R, data) to receiver

IP router

i3 node

I3 serverstoring thepublic id

pubid privid

I3 serverstoring theprivate id

privid R


17/22


Host Internet Indirection Infrastructure (HI3)

ReceiverInitiator

I3 server storingpublic triggers

FQDN (R)->HI(R)

FQDN (R)->)->IP(RVS)

DNS

1.

QueryFQDN(R)

2.

HIT,

Address.

3.I1

4. R1

3. I1

4.R1

[private

trigg

er]

5.I2

6.R2

I3 server storingprivate triggers

5. I2

5. I26. R2

6. R2

IPsec Data Traffic

In HI3, the HIT can act as a trigger.


18/22


19/22


Problems with NATs

IPv6 and IPv4 using IP payload do not work with current (multiplexing) NATs

NATs do create state for TCP/UDP ports and ICMP codes

They need to be extended to do the same for HITs

Would work well with non-multiplexing (IPv6) NATs

IPv4 over UDP works, but not if source port is fixed (to 272)

Firewalls and NATs block applications that choose port numbers dynamically

Solution

UDP encapsulation (some Firewalls block UDP)

Intercept the flow id during Initial stages


20/22


HI3 aware NAT/FWs

HI3 aware NAT/FWs are needed

to support simultaneous mobility

Secure Trigger Insertion mechanism

Intercept the flow identifier during base exchange

Authenticate requesting HI3 nodes before creating a NAT binding or FW pinhole

Authorize the requesting HI3 nodes

DoS attack resistance


21/22


QoS

Service ability aims at explaining how well to serve a customer

Service discovery mechanisms lack the ability to discover and negotiate the

QoS services supported by devices or required by users

QoS service verification

Users experienceYour friends knowledge

Resolution service providers

Form a competitive economic model cooperating market much like ISPs

Incentives would come from how well the processed their customers


22/22


Conclusion

The Host identity Protocol (HIP) uses cryptographic host identities to provide secure and efficientend-to-end communication without requiring a distributed key authority.However HIP can bevulnerable to attacks and requires some infrastructures like secure-i3, HI3 aware NAT/FWs tosupport a secure service discovery.

For HIP to be used for dynamic service discovery in a heterogeneous network lot of protocols needto be changed to support HIP and terminals just like the heterogeneous networks need to be HIPaware.

Its possible to implement, but requires joint forces from all governments to make this happen andas usual a good business case should substantiate the need.

Currently HIP is undergoing tests and specification and its too early to think about its deployment.

However, the HI3 infrastructure looks promising as compared to the current Internet. However,functionalities like multicast, anycast and service composition are still an issue and needs furtherwork.

secure services

Documents