10/08/2002 ECE697J Fall '02, Active Network 1

Strong Security for Active NetworksStrong Security for Active Networks

S. Murphy, E. Lewis, R. Puga, R. Watson and R. Yee

Presenter: Jianhong Xia10/08/2002

10/08/2002 ECE697J Fall '02, Active Network 2

How Strong Security IsHow Strong Security IsÜ End-End authentication and integrity

protectionÜ Authorization information carried by active

packet itself.Enforcement of each node’s authorization policy End user controls over access of its own stateNode policy takes precedence over active code policy

10/08/2002 ECE697J Fall '02, Active Network 3

OutlineOutlineÜ BackgroundÜ Security RequirementsÜ Trust Model/ChallengesÜ SANTS

ComponentsAuthenticationAuthorization

Ü Security ArchitectureÜ Conclusion

10/08/2002 ECE697J Fall '02, Active Network 4

Active Networks SecurityActive Networks Security

Active Packet New Active Packet

Active Network Node

--- from S. Murphy’s slides

10/08/2002 ECE697J Fall '02, Active Network 5

BackgroundBackgroundÜ Features of Active Network

Rapid deployment of new network servicesComplex computations to be performed on packets

Ü But, Security ConcernsNetwork operatorsEnd users

10/08/2002 ECE697J Fall '02, Active Network 6

Active Networks Node ArchitectureActive Networks Node Architecture

In-channels Out-channels Persistent store

NodeOS

EE1 EE2ExecutionEnvironments

ActiveApplications

--- from S. Murphy’s slides

10/08/2002 ECE697J Fall '02, Active Network 7

Security RequirementsSecurity RequirementsÜ Need to protect

End users, Active Node, EE, Active Code/DomainÜ End User’s security concerns

authenticity, integrity and confidentialityÜ Active Node/EE’s security concerns

authorization of use of its services and resourcesintegrity and confidentiality of its own state

Ü Active Code’s security concernsaccess to its services and sharable persistent states

10/08/2002 ECE697J Fall '02, Active Network 8

Trust Model --- End User ViewpointTrust Model --- End User Viewpoint

ÜWould rather not trust active nodes, EEsand other active codes

Ü So, End-End Cryptographic protectionsProtect its own data from active node and EEBut limit the network services in active node

Ü Expected FeaturesEnable end users to choose trusted nodes/EEsAvoid transmitting the packet to untrusted nodes/EEs

10/08/2002 ECE697J Fall '02, Active Network 9

Trust Model --- Node ViewpointTrust Model --- Node Viewpoint

ÜWould rather not trust EEs, active codes, arriving packets

Ü Control over the allocation of resources and privileges to an EE’s domain

Ü Balance the trust it holds in an EEÜ Control the threat from active code Ü countering clogging attacks from arriving

packets is another research area.

10/08/2002 ECE697J Fall '02, Active Network 10

Trust Model --- EE ViewpointTrust Model --- EE Viewpoint

ÜWould rather not trust active codes and arriving packets

ÜControl the threat from active codesÜRely on the node to enforce the EE’s

policy governing acceptance of arriving packets

10/08/2002 ECE697J Fall '02, Active Network 11

Trust Model --- Active Code ViewpointTrust Model --- Active Code Viewpoint

ÜWould rather not trust Active node,EEs and other active codes

ÜActive code must trust the nodes and EE’s on/in which it executes

ÜAvoid those it does not trustÜEnforce its policy to avoid potential

attacks from other active codes

10/08/2002 ECE697J Fall '02, Active Network 12

Protection TechniquesProtection Techniques

ÜTwo ApproachesLanguage based– Limit the possible actions of programs– Low cost technique with a large payoff

Authorization based– Associate a principal with each request for

an action – Enforce a policy that states which principals

are permitted to perform which actions

10/08/2002 ECE697J Fall '02, Active Network 13

Authentication ChallengesAuthentication Challenges

ÜIdentification of the principal itself in active networks

Multiple and varying principal identities or attributes

ÜChoice of an authentication mechanismHop-Hop protectionsSymmetric/Asymmetric techniques

10/08/2002 ECE697J Fall '02, Active Network 14

SANTSSANTS

ÜSecurity ANTSÜPrototype a secure active network

Authorization enforcement– nodes, EE’s and active code

Integrity protection– packets

Distributed authentication mechanism– Retrieval of identities and attributes– Dynamic assignment of attributes

10/08/2002 ECE697J Fall '02, Active Network 15

ComponentsComponentsÜ Authentication

X.509v3 certificatesDNSSECJava Crypto API KeyNote policy system

Ü AuthorizationJava 2 security features, class loaderA separation between EE and Node ClassesA shared data capability, Bulletin Board

10/08/2002 ECE697J Fall '02, Active Network 16

AuthenticationAuthentication

ÜHop-HopHMAC-SHA1 integrity protection

ÜEnd-EndDigital signature for authentication and integrity protection

10/08/2002 ECE697J Fall '02, Active Network 17

Authentication IssuesAuthentication IssuesGeneral Crypto Protected Packet

SANTS Protected Packet

header static (code & data) variable data credential(s) digital signature

hop-hop integrity

header payloadidentity protection

10/08/2002 ECE697J Fall '02, Active Network 18

SANTS AuthenticationSANTS AuthenticationÜ Strong End-End Authentication

Digital SignaturesProtection applies to static areas only

Ü Hop-Hop IntegrityHMAC-SHA1Protection Applies to entire packet

Ü Distributed Security InfrastructureX.509 Certificates stored in DNS CERT recordsAccess uses DNSSEC

10/08/2002 ECE697J Fall '02, Active Network 19

SANTS AuthorizationSANTS AuthorizationÜ Authorization Control at the NodeOS Level

Policy Manager in the NodeOSPolicy manager exposed

– To EE– To Active Packet

Ü Authorization Based on Security Attributes

Carried in X.509 Certificates

10/08/2002 ECE697J Fall '02, Active Network 20

Bulletin BoardBulletin Board

ÜActive packet travel through the network encountering different administration with their own policies.

ÜEE provides a Bulletin Board shared data service to incoming active code.

10/08/2002 ECE697J Fall '02, Active Network 21

Security ArchitectureSecurity Architecture

ÜIncludes:NamingPacket FormatPolicy LanguageSecurity Support SystemEnforcement Architecture

10/08/2002 ECE697J Fall '02, Active Network 22

Security ArchitectureSecurity Architecture

ÜComponents should be placed inNodeOS

ÜDomain creation NodeOS call must include an authentication policy and an access control policy.

10/08/2002 ECE697J Fall '02, Active Network 23

Security Processing in NodeOSSecurity Processing in NodeOSÜ Receive packetÜ Verify hop-hop integrityÜ Assign packet to existing domainÜ Extract credential listÜ Check credentials authenticity according to

authentication policy for the domainÜ Check credentials against access control policy for

domainÜ Deliver entire packet to the domain, including the

credentials, authentication protection fields, etc

10/08/2002 ECE697J Fall '02, Active Network 24

Security processing in the EESecurity processing in the EEÜ Receive a packet including credentialsÜ Create a sub-domain, providing

security context parameters access control and authentication policies

Ü Modifyaccess control policy, authentication policysecurity context

Ü Add or remove cryptographic protections to user data

10/08/2002 ECE697J Fall '02, Active Network 25

ConclusionConclusion

ÜSANTS does provide strong securityFine Grained AuthorizationStrong End-End AuthenticationDynamic Policies

ÜToo Complicated, is it worthy to apply?