Your search keyword '"Gurtov, A."' showing total 47 results

1. CR-Chord

Author

Korzun, Dmitry, Gurtov, Andrei, Korzun, Dmitry, and Gurtov, Andrei

Published

2013

2. Indirection Infrastructures

Author

Korzun, Dmitry, Gurtov, Andrei, Korzun, Dmitry, and Gurtov, Andrei

Published

2013

3. CHIP: Collaborative Host Identity Protocol with Efficient Key Establishment for Constrained Devices in Internet of Things

Author

Porambage, Pawani, Braeken, An, Kumar, Pardeep, Gurtov, Andrei, and Ylianttila, Mika

Published

2017

4. Traversing Middleboxes with the Host Identity Protocol

Author

Tschofenig, Hannes, Gurtov, Andrei, Ylitalo, Jukka, Nagarajan, Aarthi, Shanmugam, Murugaraj, Hutchison, David, editor, Kanade, Takeo, editor, Kittler, Josef, editor, Kleinberg, Jon M., editor, Mattern, Friedemann, editor, Mitchell, John C., editor, Naor, Moni, editor, Nierstrasz, Oscar, editor, Pandu Rangan, C., editor, Steffen, Bernhard, editor, Sudan, Madhu, editor, Terzopoulos, Demetri, editor, Tygar, Dough, editor, Vardi, Moshe Y., editor, Weikum, Gerhard, editor, Boyd, Colin, editor, and González Nieto, Juan Manuel, editor

Published

2005

5. IoT and HIP's Opportunistic Mode

Author

Ariel Stulman, Andrei Gurtov, and Adel Fuchs

Subjects

Authentication, Computer Networks and Communications, computer.internet_protocol, Computer science, 020206 networking & telecommunications, 02 engineering and technology, Trusted third party, Man-in-the-middle attack, Computer security, computer.software_genre, Mode (computer interface), Multihoming, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Confidentiality, Host Identity Protocol, Electrical and Electronic Engineering, computer, Software

Abstract

Key sharing has always been a complex issue. It became even more challenging for the Internet of Things (IoT), where a trusted third party for global management rarely exists. With authentication and confidentiality lacking, things resort to a leap of faith (LoF) paradigm where it is assumed that no attacker is present during the initial configuration. In this paper we focus on the Host Identity Protocol (HIP), specifically designed to provide mobility and multihoming capabilities. Although HIP is normally based on many strict security mechanisms (e.g., DNSSEC), it also provides a better than nothing opportunistic mode, based on the LoF paradigm, which is to be used when other more trusted mechanisms are not available. In this paper, we analyze different MiTM attacks which might occur under this opportunistic mode. Taking advantage of HIP's multihoming capabilities, we propose two key spraying techniques which strengthen the opportunistic mode's security. The first technique spreads the four key-exchange messages among different networks, while the second spreads fractions of one of those messages. Evaluation of these techniques is provided, demonstrating the major benefit of our proposal.

Published

2021

6. Secure communication channel architecture for Software Defined Mobile Networks

Author

Andrei Gurtov, Anca Delia Jurcut, Mika Ylianttila, Madhusanka Liyanage, An Braeken, Industrial Sciences and Technology, Digital Mathematics, and Engineering Technology

Subjects

OpenFlow, Computer Networks and Communications, computer.internet_protocol, Computer science, security, 02 engineering and technology, computer.software_genre, Communications system, SDN, Mobile networks, NFV, 03 medical and health sciences, 0302 clinical medicine, 0202 electrical engineering, electronic engineering, information engineering, Host Identity Protocol, Hip, HIP, business.industry, Testbed, 020206 networking & telecommunications, Virtualization, Security service, 030220 oncology & carcinogenesis, IPsec, Scalability, Security, Telecommunication, Cellular network, business, computer, 5G, Computer network

Abstract

A Software-Defined Mobile Network (SDMN) architecture is proposed to enhance the performance, flexibility, and scalability of today’s telecommunication networks. However, SDMN features such as centralized controlling, network programmability, and virtualization introduce new security challenges to telecommunication networks. In this article, we present security challenges related to SDMN communication channels (i.e., control and data channel) and propose a novel secure communication channel architecture based on Host Identity Protocol (HIP). IPsec tunneling and security gateways are widely utilized in present-day mobile networks to secure backhaul communication channels. However, the utilization of legacy IPsec mechanisms in SDMNs is challenging due to limitations such as distributed control, lack of visibility, and limited scalability. The proposed architecture also utilizes IPsec tunnels to secure the SDMN communication channels by eliminating these limitations. The proposed architecture is implemented in a testbed and we analyzed its security features. The performance penalty of security due to the proposed security mechanisms is measured on both control and data channels.

Published

2017

7. Novel secure VPN architectures for LTE backhaul networks

Author

Andrei Gurtov, Madhusanka Liyanage, Mika Ylianttila, and Pardeep Kumar

Subjects

Internet Key Exchange, Computer Networks and Communications, Computer science, computer.internet_protocol, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 05 social sciences, 050801 communication & media studies, 020206 networking & telecommunications, 02 engineering and technology, law.invention, Backhaul (telecommunications), IP tunnel, 0508 media and communications, Multihoming, law, IPsec, Internet Protocol, 0202 electrical engineering, electronic engineering, information engineering, Host Identity Protocol, business, computer, Information Systems, Private network, Computer network

Abstract

In this paper, we propose two secure virtual private network architectures for the long-term evolution backhaul network. They are layer 3 Internet protocol (IP) security virtual private network architectures based on Internet key exchange version 2 mobility and multihoming protocol and host identity protocol. Both architectures satisfy a complete set of 3GPP backhaul security requirements such as authentication, authorization, payload encryption, privacy protection, and IP-based attack prevention. The security analysis and simulation results verify that the proposed architectures are capable enough to protect long-term evolution backhaul traffic against various IP-based attacks. Copyright © 2016 John Wiley & Sons, Ltd.

Published

2016

8. Secure Hierarchical VPLS Architecture for Provider Provisioned Networks

Author

Andrei Gurtov, Madhusanka Liyanage, and Mika Ylianttila

Subjects

General Computer Science, computer.internet_protocol, Computer science, Distributed computing, Data security, Hierarchical, VPN, Forwarding plane, General Materials Science, Host Identity Protocol, Authentication, HIP, business.industry, Testbed, General Engineering, Local area network, Scalability, Provisioning, VPLS, Software deployment, Security, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971, Computer network, Private network

Abstract

Virtual private LAN service (VPLS) is a Layer 2 virtual private network technique that has gained enormous popularity in industrial networks. However, the deployment of legacy VPLS architectures in large-scale networks is challenging due to unresolved security and scalability issues. In this paper, we propose a novel hierarchical VPLS architecture based on host identity protocol. The proposed architecture tackles both security and scalability issues in legacy VPLS architectures. It secures the VPLS network by delivering vital security features such as authentication, confidentiality, integrity, availability, and secured control protocol. The security analysis and simulation results confirm that the proposed architecture is protected from various IP-based attacks as well. Theoretical analysis and simulation results have also verified that the proposed architecture provides scalability in control, forwarding, and security planes. Finally, the data plane performance of the proposed architecture is measured in a real-world testbed implementation.

Published

2015

9. Hardening Opportunistic HIP

Author

Adel Fuchs, Andrei Gurtov, and Ariel Stulman

Subjects

business.industry, computer.internet_protocol, Computer science, 020302 automobile design & engineering, 020206 networking & telecommunications, 02 engineering and technology, Man-in-the-middle attack, Communications system, Computer security, computer.software_genre, 0203 mechanical engineering, Secure communication, Multihoming, 0202 electrical engineering, electronic engineering, information engineering, Host Identity Protocol, business, computer

Abstract

As mobile and multi-homed devices are becoming ubiquitous, the need for a dynamic, yet secure communication protocol is unavoidable. The Host Identity Protocol (HIP) was constructed to meet this requirement; to provide significantly more secure mobility and multi-homing capabilities. HIP opportunistic mode, which is to be used when other, more trusted mechanisms are lacking, is based on a leap of faith (LoF) paradigm. In this paper, we analyze different Man in the middle (MiTM) attacks which might occur under this LoF, and propose a set of tweaks for hardening opportunistic HIP (HOH) that strengthen opportunistic mode's security.

Published

2017

10. CHIP: collaborative host identity protocol with efficient key establishment for constrained devices in Internet of Things

Author

Mika Ylianttila, Andrei Gurtov, Pardeep Kumar, An Braeken, Pawani Porambage, Industrial Sciences and Technology, Digital Mathematics, and Engineering Technology

Subjects

Key establishment, Computer science, computer.internet_protocol, Smart objects, Interoperability, Internet of Things, proxy, Cryptography, 02 engineering and technology, law.invention, Resource constrained devices, Intelligent sensor, law, Internet Protocol, 0202 electrical engineering, electronic engineering, information engineering, Host Identity Protocol, Electrical and Electronic Engineering, business.industry, 020206 networking & telecommunications, Networking hardware, Computer Science Applications, Host identity protocol, 020201 artificial intelligence & image processing, business, computer, Heterogeneous network, Computer network

Abstract

The Internet of Things (IoT) is the next evolutionary paradigm of networking technologies that interconnects almost all the smart objects and intelligent sensors related to human activities, machineries, and environment. IoT technologies and Internet Protocol connectivity enable wide ranges of network devices to communicate irrespective of their resource capabilities and local networks. In order to provide seamless connectivity and interoperability, it is notable to maintain secure end-to-end (E2E) communication links in IoT. However, device constraints and the dynamic link creations make it challenging to use pre-shared keys for every secure E2E communication scenario in IoT. Variants of Host Identity Protocol (HIP) are adopted for constructing dynamic and secure E2E connections among the heterogeneous network devices with imbalanced resource profiles and less or no previous knowledge about each other. We propose a solution called collaborative HIP (CHIP) with an efficient key establishment component for thehigh resource-constrained devices in IoT. CHIP delegates the expensive cryptographic operations to the resource rich devices in the local networks. Finally, by providing quantitative performance evaluation and descriptive security analysis, we demonstrate the applicability of the key establishment in CHIP for the constrained IoT devices rather than the existing HIP variants. Keywords Internet of Things Key establishment Proxy Host identity protocol Resour

Published

2017

11. Performance evaluation of current and emerging authentication schemes for future 3GPP network architectures

Author

Zoltán Faigl, Andrei Gurtov, Jani Pellikka, and László Bokor

Subjects

Challenge-Handshake Authentication Protocol, Network architecture, Authentication, Computer Networks and Communications, Computer science, business.industry, Network packet, computer.internet_protocol, Distributed computing, Testbed, Authentication protocol, Default gateway, Lightweight Extensible Authentication Protocol, Scalability, Cellular network, Mobile telephony, Host Identity Protocol, business, computer, AKA, Computer network

Abstract

One of the key issues in recent mobile telecommunication is to increase the scalability of current packet data networks. A challenging topic of scalability is the efficient handling of rapidly growing Machine-type communication, which comes along with the requirement of low-cost network attachment and re-attachment procedures. In this paper we present the results of a comprehensive testbed-based performance evaluation on a set of authentication schemes over ''centralized'', ''distributed'' and ''flat'' mobile network architecture alternatives in terms of computational cost, memory utilization, authentication delay, and signalling overhead. The aim of our measurement and analysis is to facilitate decision making on authentication scheme selection in future mobile networks and in Wireless Personal Area Networks. We also show that the optimal distribution level of the network architecture is ''distributed'' with respect to the authentication delay. The studied authentication schemes seem to hinder seamless handover provision in case of frequent gateway changes, except the Host Identity Protocol-based Diet Exchange extended with 3GPP Authentication and Key Agreement authentication scheme over Wi-Fi access.

Published

2014

12. Suitability analysis of existing and new authentication methods for future 3GPP Evolved Packet Core

Author

Jani Pellikka, László Bokor, Andrei Gurtov, and Zoltán Faigl

Subjects

Authentication, Internet Key Exchange, Access network, Computer Networks and Communications, business.industry, Network packet, Computer science, computer.internet_protocol, Mobile broadband, Authentication protocol, Lightweight Extensible Authentication Protocol, Wireless, Host Identity Protocol, business, computer, AKA, Computer network

Abstract

The fourth generation of 3GPP networks is evolving toward the realization of true global mobile broadband services. This stimulates the appearance of new applications, such as remote sensing and controlling services running on resource-constrained wireless devices, but also comes along with new challenges regarding performance and cost of the whole system, involving the requirement for lightweight security services.This paper analyzes the suitability of a recently developed protocol, i.e., the Host Identity Protocol using Diet Exchange extended with Authentication and Key Agreement, as a new option providing lightweight unified network access service in 3GPP Evolved Packet Core and replacing Internet Key Exchange version 2 with EAP-AKA. The proposed technology is compared with five other Layer-3 authentication methods under security, performance, deployment and functionality related criteria and trade-offs of the alternatives are analyzed. The results show that it is worth using this recent authentication method in scenarios where low performance overhead and support of extra functionalities such as multi-access capabilities are important. Consequently, the concept of a new secure data tunneling option is proposed for these scenarios for distributed Evolved Packet Core.

Published

2013

13. Analysis of deployment challenges of Host Identity Protocol

Author

Ijaz Ahmad, Andrei Gurtov, Mika Ylianttila, and Madhusanka Liyanage

Subjects

Mobility, Network security, business.industry, computer.internet_protocol, Computer science, Mobile computing, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, 020206 networking & telecommunications, 02 engineering and technology, Computer security, computer.software_genre, SDN, Software deployment, Mobile VPN, 0202 electrical engineering, electronic engineering, information engineering, Security, 020201 artificial intelligence & image processing, The Internet, Host Identity Protocol, business, Software-defined networking, Protocol (object-oriented programming), computer, Internetworking

Abstract

Host Identity Protocol (HIP), a novel internetworking technology proposes separation of the identity-location roles of the Internet Protocol (IP). HIP has been successful from the technological perspectives for network security and mobility, however, it has very limited deployment. In this paper we assess HIP to find the reasons behind its limited deployment and highlight the challenges faced by HIP for its commercial use. We propose technological development and outline deployment strategies for the wide use of HIP. Furthermore, this paper investigates the use of HIP in Software Defined Networks (SDN) to evaluate its performance in new disruptive networking technologies. In a nutshell, this paper presents revealing challenges for the deployment of innovative networking protocols and a way ahead for successful and large scale deployment.

Published

2017

14. CHIP:collaborative host identity protocol with efficient key establishment for constrained devices in internet of things

Author

Porambage, P. (Pawani), Braeken, A. (An), Kumar, P. (Pardeep), Gurtov, A. (Andrei), and Ylianttila, M. (Mika)

Subjects

Host identity protocol, Internet of Things, Key establishment, Proxy, Resource-constrained devices

Abstract

The Internet of Things (IoT) is the next evolutionary paradigm of networking technologies that interconnects almost all the smart objects and intelligent sensors related to human activities, machineries, and environment. IoT technologies and Internet Protocol connectivity enable wide ranges of network devices to communicate irrespective of their resource capabilities and local networks. In order to provide seamless connectivity and interoperability, it is notable to maintain secure end-to-end (E2E) communication links in IoT. However, device constraints and the dynamic link creations make it challenging to use pre-shared keys for every secure E2E communication scenario in IoT. Variants of Host Identity Protocol (HIP) are adopted for constructing dynamic and secure E2E connections among the heterogeneous network devices with imbalanced resource profiles and less or no previous knowledge about each other. We propose a solution called collaborative HIP (CHIP) with an efficient key establishment component for the high resource-constrained devices in IoT. CHIP delegates the expensive cryptographic operations to the resource rich devices in the local networks. Finally, by providing quantitative performance evaluation and descriptive security analysis, we demonstrate the applicability of the key establishment in CHIP for the constrained IoT devices rather than the existing HIP variants.

Published

2017

15. Secure and Efficient IPv4/IPv6 Handovers Using Host-Based Identifier-Locator Split

Author

Samu Varjonen, Miika Komu, and Andrei Gurtov

Subjects

lcsh:Computer software, business.industry, computer.internet_protocol, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Network layer, IPv4, IPv6, Identifier, lcsh:QA76.75-76.765, Multihoming, The Internet, Host Identity Protocol, Electrical and Electronic Engineering, business, computer, Host (network), Software, Computer network

Abstract

Internet architecture is facing at least three major challenges. First, it is running out of IPv4 addresses. IPv6 offers a long-term solution to the problem by offering a vast amount of addresses but is neither supported widely by networking software nor has been deployed widely in different networks. Second, end-to-end connectivity is broken by the introduction of NATs, originally invented to circumvent the IPv4 address depletion. Third, the Internet architecture lacks a mechanism that supports end-host mobility and multihoming in a coherent way between IPv4 and IPv6 networks. We argue that an identifier-locator split can solve these three problems based on our experimentation with the Host Identity Protocol. The split separates upper layer identifiers from lower network layer identifiers, thus enabling network-location and IPversionindependent applications. Our contribution consists of recommendations to the present HIP standards to utilize cross-family mobility more efficiently based on our implementation experiences. To the best of our knowledge we are also the first ones to show a performance evaluation of HIP-based cross-family handovers.

Published

2010

16. Host Identity Protocol (HIP): Connectivity, Mobility, Multi-Homing, Security, and Privacy over IPv4 and IPv6 Networks

Author

Andrei Gurtov, Thomas R. Henderson, and Pekka Nikander

Subjects

ta113, ta112, IPv6 address, ta213, business.industry, computer.internet_protocol, Computer science, Overlay network, Cryptographic protocol, Computer security, computer.software_genre, IPv4, IPv6, Internet protocol suite, ta5141, Host Identity Protocol, ta518, Electrical and Electronic Engineering, business, Internetworking, computer, ta515, Computer network

Abstract

The Host Identity Protocol (HIP) is an inter-networking architecture and an associated set of protocols, developed at the IETF since 1999 and reaching their first stable version in 2007. HIP enhances the original Internet architecture by adding a name space used between the IP layer and the transport protocols. This new name space consists of cryptographic identifiers, thereby implementing the so-called identifier/locator split. In the new architecture, the new identifiers are used in naming application level end-points (sockets), replacing the prior identification role of IP addresses in applications, sockets, TCP connections, and UDP-based send and receive system calls. IPv4 and IPv6 addresses are still used, but only as names for topological locations in the network. HIP can be deployed such that no changes are needed in applications or routers. Almost all pre-compiled legacy applications continue to work, without modifications, for communicating with both HIP-enabled and non-HIP-enabled peer hosts. The architectural enhancement implemented by HIP has profound consequences. A number of the previously hard networking problems become suddenly much easier. Mobility, multi-homing, and baseline end-to-end security integrate neatly into the new architecture. The use of cryptographic identifiers allows enhanced accountability, thereby providing a base for easier build up of trust. With privacy enhancements, HIP allows good location anonymity, assuring strong identity only towards relevant trusted parties. Finally, the HIP protocols have been carefully designed to take middle boxes into account, providing for overlay networks and enterprise deployment concerns. This article provides an in-depth look at HIP, discussing its architecture, design, benefits, potential drawbacks, and ongoing work.

Published

2010

17. Hi3: An efficient and secure networking architecture for mobile hosts

Author

Pekka Nikander, Andrey Lukyanenko, Dmitry Korzun, and Andrei Gurtov

Subjects

Computer Networks and Communications, Computer science, business.industry, computer.internet_protocol, Denial-of-service attack, Computer security, computer.software_genre, Multihoming, Mobile architecture, Scalability, The Internet, Host Identity Protocol, business, Resilience (network), Host (network), computer, Computer network

Abstract

The Host Identity Indirection Infrastructure (Hi3) is a networking architecture for mobile hosts, derived from the Internet Indirection Infrastructure (i3) and the Host Identity Protocol (HIP). Hi3 has efficient support for secure mobility and multihoming, which both are crucial for future Internet applications. In this paper, we describe and analyze Hi3 in detail. Compared to existing solutions, Hi3 achieves better resilience, scalability, and security. Both our analysis and early measurements support the notion that Hi3 preserves the best of both approaches while improving performance compared to i3 and enhancing flexibility and security compared to HIP.

Published

2008

18. Performance and security evaluation of intra-vehicular communication architecture

Author

Andrei Gurtov, Mika Ylianttila, Madhusanka Liyanage, Simone Soderi, and Pardeep Kumar

Subjects

Computer science, computer.internet_protocol, 050801 communication & media studies, 02 engineering and technology, Communications system, 0508 media and communications, Distributed System Security Architecture, 0202 electrical engineering, electronic engineering, information engineering, Wireless, Host Identity Protocol, ta113, Authentication, Information sharing, HIP, Intra-Vehicular Communication, business.industry, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 05 social sciences, 020206 networking & telecommunications, Wireless Transport Layer Security, Security service, Smart-spaces, Embedded system, IPsec, Security, business, computer, Computer network

Abstract

In this paper, we propose a secure intra-vehicular wireless communication architecture based on Host Identity Protocol (HIP). It ultimately improves the security of wireless intra-vehicular communication systems. The performance evaluation of the proposed architecture is performed in a ski tunnel which emulates the real underground transportation environment. Our results verify the feasibility of proposed architecture by providing required level of service quality. Also, it outperforms the existing secure architectures. More importantly, the proposed architecture protect the wireless intra-vehicular communication system from IP based attacks.

Published

2016

19. On scalability properties of the Hi3 control plane

Author

Andrei Gurtov and Dmitry Korzun

Subjects

Network architecture, Indirection, Computer Networks and Communications, business.industry, computer.internet_protocol, Computer science, Mobile computing, Denial-of-service attack, PlanetLab, Scalability, Forwarding plane, The Internet, Host Identity Protocol, business, computer, Computer network

Abstract

The Host Identity Indirection Infrastructure (Hi3) is a general-purpose networking architecture, derived from the Internet Indirection Infrastructure (i3) and the Host Identity Protocol (HIP). Hi3 combines efficient and secure end-to-end data plane transmission of HIP with robustness and resilience of i3. The architecture is well-suited for mobile hosts given the support for simultaneous host mobility, rendezvous and multi-homing. Although an Hi3 prototype is implemented and tested on PlanetLab, scalability properties of Hi3 for a large number of hosts are unknown. In this paper, we propose a simple model for bounds of size and latency of the Hi3 control plane for a large number of clients and in the presence of DoS attacks. The model can be used for a first approximation study of a large-scale Internet control plane before its deployment. We apply the model to quantify the performance of the Hi3 control plane. Our results show that the Hi3 control plane can support a large number of mobile hosts with acceptable latency.

Published

2006

20. Efficient Key Establishment for Constrained IoT Devices with Collaborative HIP-based Approach

Author

Andrei Gurtov, An Braeken, Pawani Porambage, Mika Ylianttila, Pardeep Kumar, Industrial Sciences and Technology, and Digital Mathematics

Subjects

ta113, ta112, Key establishment, ta213, computer.internet_protocol, Computer science, business.industry, Internet of Things, Cryptography, Proxy, Networking hardware, Resource constrained devices, Resource (project management), Component (UML), ta5141, Host Identity Protocol, ta518, business, computer, ta515, Computer network

Abstract

The Internet of Things (IoT) technologies interconnect wide ranges of network devices irrespective of their resource capabilities and local networks. The device constraints and the dynamic link creations make it challenging to use pre-shared keys for every secure end-to-end (E2E) communication scenario in IoT. Variants of Host Identity Protocol (HIP) are adopted for constructing dynamic and secure E2E connections among the heterogenous network devices with imbalanced resource profiles and less or no previous knowledge about each other. We propose a collaborative HIP solution with an efficient key establishment component for the high constrained devices in IoT, which delegates the expensive cryptographic operations to the resource rich devices in the local networks. Finally, we demonstrate the applicability of the key establishment in collaborative HIP solution for the constrained IoT devices rather than the existing HIP variants, by providing performance and security analysis.

Published

2015

21. Securing the control channel of software-defined mobile networks

Author

Mika Ylianttila, Andrei Gurtov, and Madhusanka Liyanage

Subjects

computer.internet_protocol, business.industry, Computer science, Mobile computing, Internet security, IP tunnel, Distributed System Security Architecture, Security service, Control channel, IPsec, Host Identity Protocol, business, computer, Computer network

Abstract

Software-Defined Mobile Networks (SDMNs) are becoming popular as the next generation of telecommunication networks due to the enhanced performance, flexibility and scalability. In this paper, we study the new security challenges of the control channel of SDMNs and propose a novel secure control channel architecture based on Host Identity Protocol (HIP). IPsec tunneling and security gateways are widely used in today's mobile networks. The proposed architecture utilized these technologies to protect the control channel of SDMNs. We implement the proposed architecture in a testbed and analyze the security features. Moreover, we measure the performance penalty of security of proposed architecture and analyze its ability to protect the control channel from various IP (Internet Protocol) based attacks.

Published

2014

22. Security for medical sensor networks in mobile health systems

Author

Andrei Gurtov, Ilya Nikolaevskiy, and Dmitry Korzun

Subjects

Mobile radio, Cloud computing security, computer.internet_protocol, Computer science, business.industry, Mobile broadband, Mobile computing, Mobile Web, Computer security, computer.software_genre, Security service, Host Identity Protocol, Mobile telephony, business, computer

Abstract

Emerging Internet of Things (IoT) technologies and mobile health scenarios provide opportunities for enhancing traditional healthcare systems. Yet current development meets the challenge of sensing patient's health data with strong security guarantees in mobile and resource-constrained settings as well as in emergency situations. This paper presents a generic IoT-aware system architecture that enables security of personal mobile data and their transfer to healthcare services. Our security solutions apply the Host Identity Protocol. We validate the efficiency using a prototype implementation.

Published

2014

23. Secure lightweight protocols for medical device monitoring

Author

Pawani Porambage, Andrei Gurtov, and Ilya Nikolaevskiy

Subjects

Provable security, Engineering, Authentication, business.industry, computer.internet_protocol, Cryptography, Computer security, computer.software_genre, lcsh:Telecommunication, Key distribution in wireless sensor networks, Wireless Transport Layer Security, lcsh:TK5101-6720, Host Identity Protocol, business, computer, Protocol (object-oriented programming), Efficient energy use

Abstract

In the present days, the health care costs are sky-rocketing and most developed nations, including EU and US, are struggling to keep the costs under control. One of the areas is related to monitoring and control of medical appliances embedded to human bodies, such as insulin pumps as heart pacers. Fortunately, recent technology advances make it possible to monitor the medical appliances remotely, greatly decreasing the need for personal doctor visits. Naturally, remote wireless monitoring of such crucial appliances poses several formidable technological challenges including security of data communication, device authentication, attack resistance, and seamless connectivity. A remote monitoring protocol must be executed in a resource-constrained environment with energy efficiency. The recently proposed Diet Exchange for Host Identity Protocol (HIP) could solve most of security issues of remote appliance monitoring. However, it has to be developed to run in an embedded device environment; its security properties must be triple-checked against the stringent requirements; potential privacy issues must be addressed; protocol messages and cryptographic mechanisms must be adopted to wireless sensor standards. Although bearing high risks of provable security and patient faith, remote monitoring of health appliances could create breakthroughs in healthcare cost reduction and bring great benefits of individuals and the society.

Published

2014

24. Security of Wi-Fi on-board intra-vehicular communication: Field trials of tunnel scenario

Author

Harri Viittala, Simone Soderi, Matti Hämäläinen, Jari Iinatti, Jani Saloranta, and Andrei Gurtov

Subjects

Vehicular ad hoc network, Wi-Fi array, computer.internet_protocol, Computer science, business.industry, Transmission security, Computer security, computer.software_genre, Wireless security, Wireless Transport Layer Security, Security service, Network Access Control, Host Identity Protocol, business, computer, Computer network

Abstract

Wireless communications are increasingly-often selected as a cable replacement for on-board vehicular networks. When a wireless technology implements safety critical application, cryptographic countermeasures are required. This paper describes the impact of security on intra-vehicular communication in a real tunnel scenario, e.g. for urban transit or mining vehicles where the usage of security is mandatory in order to maintain the system safety. The measurement campaign was carried out in a sport ski-tunnel using commercial off-the-shelf (COTS) Wi-Fi modules. The objective was to understand the impact of overhead on security in a tunnel considering line-of-sight (LOS) and non-LOS (NLOS) scenarios. In addition, the study compared different solutions for security to evaluating lesser known protocols. These field trials showed that wireless security is feasible up to 300 m in NLOS without repeaters. Finally, the experiment presented confirms the effectiveness of the Host Identity Protocol when used as standalone or in combination with other security solution.

Published

2013

25. Secure hierarchical Virtual Private LAN Services for provider provisioned networks

Author

Madhusanka Liyanage, Andrei Gurtov, and Mika Ylianttila

Subjects

computer.internet_protocol, business.industry, Virtual Private LAN Service, Network security, Computer science, Distributed computing, Local area network, Provisioning, Scalability, Enterprise private network, Host Identity Protocol, business, computer, Computer network, Private network

Abstract

Virtual Private LAN Service (VPLS) is a widely used Layer 2 (L2) Virtual Private Network (VPN) service. Initially, VPLS architectures were proposed as flat architectures. They were used only for small and medium scale networks due to the lack of scalability. Hierarchical VPLS architectures are proposed to overcome these scalability issues. On the other hand, the security is an indispensable factor of a VPLS since it delivers the private user frames via an untrusted public network. However, the existing hierarchical architectures unable to provide a sufficient level of security for a VPLS network. In this paper, we propose a novel hierarchical VPLS architecture based on Host Identity Protocol (HIP). It provides a secure VPLS network by delivering vital security features such as authentication, confidentiality, integrity, availability, secure control protocol and robustness to the known attacks. The simulations verify that our proposal provides the control, forwarding and security plane scalability by reducing the number of tunnels in the network as well as the number of keys stored at a node and the network. Finally, the simulation results confirm that the control protocol of the proposed architecture is protected from IP based attacks.

Published

2013

26. Lightweight authentication and key management on 802.11 with Elliptic Curve Cryptography

Author

Konstantinos Georgantas, Suneth Namal, and Andrei Gurtov

Subjects

Authentication, Voice over IP, business.industry, computer.internet_protocol, Computer science, Service set, Local area network, Public-key cryptography, Authentication protocol, Lightweight Extensible Authentication Protocol, Wireless lan, Host Identity Protocol, Elliptic curve cryptography, business, Key management, Internetworking, computer, Computer network

Abstract

Wireless Local Area Networks (WLANs) have experienced a significant growth during the last decade due to ever emerging and heavy resource demanding applications. Widely used IEEE 802.11 may unexpectedly require long durations in association compared to what Voice over IP (VoIP), Video on Demand (VoD) and other real-time applications can tolerate. In this paper, we implement HIP-WPA; a novel approach of Fast Initial Authentication (FIA) which is a combination of Host Identity Protocol Diet EXchange (HIP-DEX) with some features of Wi-Fi Protected Access (WPA) technology. This approach provides the necessary IP layer elevated security mechanisms in order to face the challenges of fast authentication in WLANs. HIP-DEX introduces a radically new way of authenticating hosts by using Elliptic Curve Cryptography (ECC) only with two message exchanges and therefore improves the authentication delay by 300% compared to WPA2. Thus, this is an effective solution to be used with any type of real-time application for intra-network (Basic Service Set (BSS) transitions) and internetwork (Extended Service Set (ESS) transitions) handovers.

Published

2013

27. A scalable and secure VPLS architecture for provider provisioned networks

Author

Andrei Gurtov and Madhusanka Liyanage

Subjects

Network security, business.industry, computer.internet_protocol, Computer science, Virtual Private LAN Service, Node (networking), Distributed computing, Local area network, Telecommunications service, Provisioning, Cryptographic protocol, Encryption, Broadcast communication network, Enterprise private network, Session key, The Internet, Host Identity Protocol, business, computer, Private network, Computer network

Abstract

Virtual Private LAN Service (VPLS) is a Layer 2 Virtual Private Network (VPN) service. Internet Engineering Task Force (IETF) defined the essential system requirements of a VPLS network. Among them, Security is a key requirement as a VPLS delivers the customer data frames via untrusted public networks. However, the existing secure VPLS architectures are suffering from scalability issues and they are infeasible to implement in large scale networks. In this paper, we propose a novel VPLS architecture based on Host Identity Protocol (HIP). It includes a new session key based security mechanism which provides the scalability both in forwarding and security planes. Initial simulations verify that the proposed architecture reduces the key storage in a VPLS node, the total key storage in the network and the number of encryption per broadcast frame than other secure VPLS architectures. Additionally, our proposal provides an efficient broadcast mechanism and comparably higher degree of security features than other existing VPLS proposals.

Published

2013

28. Host identity protocol (HIP): an overview

Author

Thomas R. Henderson, Andrei Gurtov, and Pekka Nikander

Subjects

Engineering, computer.internet_protocol, business.industry, Computer security, computer.software_genre, NAT traversal, Multihoming, Accountability, The Internet, Host Identity Protocol, Architecture, business, computer, Computer network

Published

2012

29. Secure and Multihomed Vehicular Femtocells

Author

Jani Pellikka, Andrei Gurtov, and Suneth Namal

Subjects

business.industry, Computer science, computer.internet_protocol, Quality of service, IT service continuity, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Context (language use), Throughput, Handover, Multihoming, Packet loss, Femtocell, Host Identity Protocol, business, computer, Computer network

Abstract

Operators must ensure seamless voice and data session continuity even when subscribers are on move. Service continuity is one of the most critical quality parameter in a cellular system. QoS during handover is always hindered by the handover latency and packet loss. Among several approaches, IP multihoming is a promising solution to achieve throughput increment and packet loss reduction. Theoretically, it can ensure no interrupt or packet loss during the handover. In this paper, we present a novel Host Identity Protocol (HIP) based secure vehicular femtocell scenario. For the evaluation, we have developed a simulation model on top of HIPSim++ framework (simulation framework for HIP) integrated into INET/OMNeT++. Finally, we investigate the feasibility to use HIP in a vehicular femtocell which is new in the context and measure the performance in terms of handover latency, packet loss and throughput to compare multihomed and singlehomed communication.

Published

2012

30. Secure Resolution of End-Host Identifiers for Mobile Clients

Author

Samu Varjonen, Tobias Heer, Ken Rimey, and Andrei Gurtov

Subjects

Authentication, Relation (database), Computer science, computer.internet_protocol, business.industry, Mobile computing, Identifier, Unique identifier, Locator/Identifier Separation Protocol, Host Identity Protocol, business, Host (network), computer, Computer network

Abstract

Many efforts of the network research community focus on the introduction of a new identifier to relieve the IP address from its dual role of end-host identifier and routable locator. This identifier-locator split introduces a new identifier between human readable domain names and routable IP addresses. Mapping between identifiers and locators requires additional name mapping mechanisms because their relation is not trivial. Despite its popularity and efficiency, the DNS system is not a perfect choice for performing this mapping because identifiers are not hierarchically structured and mappings are frequently updated by users. In this paper we discuss the features needed to resolve flat identifiers to locators in a secure manner. In particular, we focus on the features and the performance that identifier-locator split protocols require from a mapping system. To this end, we consider a mapping system for an identifier-locator split based mobility solution and evaluate its performance.

Published

2011

31. On application of Host Identity Protocol in wireless sensor networks

Author

Andrei Gurtov, Andrey Khurri, and Dmitriy Kuptsov

Subjects

Authentication, business.industry, Computer science, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, Energy consumption, Cryptographic protocol, Computer security, computer.software_genre, Encryption, Public-key cryptography, Key distribution in wireless sensor networks, Wireless Transport Layer Security, Wireless, ComputerSystemsOrganization_SPECIAL-PURPOSEANDAPPLICATION-BASEDSYSTEMS, Host Identity Protocol, business, computer, Wireless sensor network, Countermeasure (computer), Key exchange, Computer network

Abstract

Recent advances in development of low-cost wireless sensor platforms open up opportunities for novel wireless sensor network (WSN) applications. Likewise emerge security concerns of WSNs receiving closer attention of research community. Well known security threats in WSNs range from Denial-of-Service (DoS), Replay and Sybil attacks to those targeted at violating data integrity and confidentiality. Public-key cryptography (PKC) as a countermeasure to potential attacks, although originally treated infeasible for resource-constrained sensor nodes, has shown its eligibility for WSNs in the past few years. However, different security and performance requirements, energy consumption issues, as well as varying hardware capabilities of sensor motes pose a challenge of finding the most efficient security protocol for a particular WSN application and scenario. In this paper, we propose to use the Host Identity Protocol (HIP) as the main component for building network-layer security in WSNs. Combining PKC signatures to authenticate wireless nodes, a Diffie-Hellman key exchange to create a pairwise secret key, a puzzle mechanism to protect against DoS attacks and the IPsec protocol for optional encryption of sensitive application data, HIP provides a standardized solution to many security problems of WSNs. We discuss how HIP can strengthen security of WSNs, suggest possible alternatives to its heavy components in particular WSN applications and evaluate their computational and energy costs on a Linux-based Imote2 wireless sensor platform.

Published

2010

32. Elliptic Curve Cryptography (ECC) for Host Identity Protocol (HIP)

Author

Oleg Ponomarev, Andrei Gurtov, and Andrey Khurri

Subjects

business.industry, Computer science, computer.internet_protocol, Cryptographic protocol, Encryption, Public-key cryptography, Server, Session key, The Internet, Host Identity Protocol, Hardware_ARITHMETICANDLOGICSTRUCTURES, Elliptic curve cryptography, business, computer, Computer network

Abstract

We compare computational resources required for handling control plane of the Host Identity Protocol (HIP) using Rivest-Shamir-Adleman (RSA) versus Elliptic Curve Cryptography (ECC) encryption algorithms with keys of equivalent strength. We show that servers would establish almost three times more HIP connections per second when ECC is used for generating the session key. For devices with low computational power such as Nokia N810 Internet Tablet, the use of ECC would notably reduce the delay to establish a HIP association. Unless compatibility with legacy RSA/DSA-only systems is needed, the Host Identity may be an ECC key as well, but such a modification would bring only 50 percent additional performance with the current default keys. However the situation becomes different under higher security requirements when employing ECC for the host identification boosts the performance more than four times, and we consider ECC Host Identities desirable in that case.

Published

2010

33. Distributed user authentication in wireless LANs

Author

Andrey Khurri, Andrei Gurtov, and Dmitriy Kuptsov

Subjects

Password, Authentication, Access network, computer.internet_protocol, business.industry, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, IPsec, The Internet, Host Identity Protocol, Mobile telephony, business, computer, Mobile device, Computer network

Abstract

An increasing number of mobile devices, including smartphones, use WLAN for accessing the Internet. Existing WLAN authentication mechanisms are either disruptive, such as presenting a captive web page prompting for password, or unreliable, enabling a malicious user to attack a part of operator's infrastructure. In this paper, we present a distributed authentication architecture for WLAN users providing instant network access without manual interactions. It supports terminal mobility across WLAN access points with the Host Identity Protocol (HIP), at the same time protecting the operator's infrastructure from external attacks. User data sent over a wireless link is protected by the IPsec ESP protocol. We present our architecture design and implementation experience on two OpenWrt WLAN access points, followed by measurement results of the working prototype. The system is being deployed into pilot use in the city-wide panOULU WLAN.

Published

2009

34. Performance of Host Identity Protocol on Symbian OS

Author

Andrey Khurri, Andrei Gurtov, and Dmitriy Kuptsov

Subjects

Authentication, business.industry, computer.internet_protocol, Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, computer.software_genre, Porting, Public-key cryptography, Multihoming, Mobile phone, IPsec, Server, Operating system, The Internet, Host Identity Protocol, business, Host (network), computer, Computer network

Abstract

The Host Identity Protocol (HIP) has been specified by the IETF as a new solution for secure host mobility and multihoming in the Internet. HIP uses self-certifying public-private key pairs in combination with IPsec to authenticate hosts and protect user data. While there are three open-source HIP implementations, little experience is available with running HIP on lightweight hardware such as a mobile phone. Limited computational power and battery lifetime of lightweight devices raise concerns if HIP can be used there at all. This paper describes the porting process of HIP on Linux (HIPL) and OpenHIP implementations to Symbian OS, as well as performance measurements of HIP over WLAN using Nokia E51 and N80 smartphones. We found that with 1024-bit keys, the HIP base exchange with a server varies from 1.68 to 3.31 seconds depending on whether the mobile phone is in standby or active state respectively. After analyzing HIP performance in different scenarios we make conclusions and recommendations on using IP security on lightweight hardware clients.

Published

2009

35. Usable security management with host identity protocol

Author

Andrei Gurtov, Kristiina Karvonen, and Miika Komu

Subjects

Computer science, computer.internet_protocol, business.industry, Usability, Cryptographic protocol, Computer security, computer.software_genre, Identity management, World Wide Web, IPsec, Security management, The Internet, Host Identity Protocol, business, computer, Host (network)

Abstract

Host Identity Protocol (HIP) proposes a change to the Internet architecture by introducing cryptographically-secured names, called Host Identities (HIs), for hosts. Applications use HIs instead of IP addresses in transport layer connections, which allows applications to tolerate host-based mobility better. HIP provides IPsec-based, lower-layer security, but the problem is that this type of security is invisible for most applications and users. Our main contribution is the implementation and user evaluation of several security indicators which inform the user when HIP and IPsec are securing the connections of the user. We experimented with application and system level security indicators at the client-side, as well as with server-side indicators. In this paper, we present implementation experience on integrating the identity management Graphical User Interface (GUI) to HIP and results of usability tests with actual users.

Published

2009

36. Secure Multipath Transport For Legacy Internet Applications

Author

Andrei Gurtov and Tatiana Polishchuk

Subjects

business.product_category, business.industry, computer.internet_protocol, Network packet, Computer science, Distributed computing, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Multihoming, Multipath routing, Internet access, The Internet, Stream Control Transmission Protocol, Host Identity Protocol, business, computer, Multipath propagation, Computer network

Abstract

Multi-interface mobile devices and multihomed residential Internet connections are becoming commonplace. However, standard transport protocols TCP and SCTP are unable to take advantage of several available paths so that the application using a single transport connection would receive the aggregate bandwidth of all paths. Multihoming and advanced security features make the Host Identity Protocol a good candidate to provide multipath data delivery. In this paper, we design and implement a multipath scheduler that distributes the incoming traffic among multiple available paths. Using Fastest Path First scheduling, packets from a single TCP connection could be spread to multiple paths with no reordering. Our simulations confirm effectiveness and TCP-friendliness of multipath transfer for a range of path bandwidths and in the presence of cross-traffic.1

Published

2009

37. Filtering SPAM in P2PSIP Communities with Web of Trust

Author

Andrei Gurtov and Juho Heikkilä

Subjects

Scheme (programming language), Voice over IP, computer.internet_protocol, business.industry, Computer science, Internet privacy, Encryption, Computer security, computer.software_genre, Web of trust, Identity (object-oriented programming), Host Identity Protocol, Computational trust, business, computer, computer.programming_language

Abstract

Spam is a dominant problem on email systems today. One of the reasons is the lack of infrastructure for security and trust. As Voice over IP (VoIP) communication becomes increasingly popular, proliferation of spam calls is only a matter of time. As SIP identity scheme is practically similar to email, those share the same threats. We utilized Host Identity Protocol (HIP) to provide basic security, such as end-to-end encryption. To provide call filtering, however, other tools are needed. In this paper, we suggest applying trust paths familiar from the PGP web of trust to prevent unwanted communication in P2PSIP communities.

Published

2009

38. SAVAH: Source Address Validation with Host Identity Protocol

Author

Andrei Gurtov and Dmitriy Kuptsov

Subjects

Router, Authentication, business.industry, Network packet, Computer science, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Computer security, computer.software_genre, IPv4, IPv6, Overhead (computing), The Internet, Host Identity Protocol, business, computer, Computer network

Abstract

Explosive growth of the Internet and lack of mechanisms that validate the authenticity of a packet source produced serious security and accounting issues. In this paper, we propose validating source addresses in LAN using Host Identity Protocol (HIP) deployed in a first-hop router. Compared to alternative solutions such as CGA, our approach is suitable both for IPv4 and IPv6. We have implemented SAVAH in Wi-Fi access points and evaluated its overhead for clients and the first-hop router.

Published

2009

39. Host Identity Protocol (HIP)

Author

Andrei Gurtov

Subjects

Engineering, computer.internet_protocol, business.industry, Domain Name System, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Interoperability, Computer security, computer.software_genre, IPv4, IPv6, Multihoming, IPsec, The Internet, Host Identity Protocol, business, computer

Abstract

Within the set of many identifier-locator separation designs for the Internet, HIP has progressed further than anything else we have so far. It is time to see what HIP can do in larger scale in the real world. In order to make that happen, the world needs a HIP book, and now we have it. - Jari Arkko, Internet Area Director, IETF One of the challenges facing the current Internet architecture is the incorporation of mobile and multi-homed terminals (hosts), and an overall lack of protection against Denial-of-Service attacks and identity spoofing. The Host Identity Protocol (HIP) is being developed by the Internet Engineering Task Force (IETF) as an integrated solution to these problems. The book presents a well-structured, readable and compact overview of the core protocol with relevant extensions to the Internet architecture and infrastructure. The covered topics include the Bound End-to-End Tunnel Mode for IPsec, Overlay Routable Cryptographic Hash Identifiers, extensions to the Domain Name System, IPv4 and IPv6 interoperability, integration with SIP, and support for legacy applications. Unique features of the book: All-in-one source for HIP specifications Complete coverage of HIP architecture and protocols Base exchange, mobility and multihoming extensions Practical snapshots of protocol operation IP security on lightweight devices Traversal of middleboxes, such as NATs and firewalls Name resolution infrastructure Micromobility, multicast, privacy extensions Chapter on applications, including HIP pilot deployment in a Boeing factory HOWTO for HIP on Linux (HIPL) implementation An important compliment to the official IETF specifications, this book will be a valuable reference for practicing engineers in equipment manufacturing companies and telecom operators, as well as network managers, network engineers, network operators and telecom engineers. Advanced students and academics, IT managers, professionals and operating system specialists will also find this book of interest.

Published

2008

40. Performance of host identity protocol on lightweight hardware

Author

Andrey Khurri, Andrei Gurtov, and Ekaterina Vorobyeva

Subjects

business.industry, computer.internet_protocol, Computer science, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Encryption, Mobile phone, Multihoming, IPsec, Key (cryptography), The Internet, Host Identity Protocol, business, Host (network), computer, Computer hardware, Computer network

Abstract

The Host Identity Protocol (HIP) is being standardized by the IETF as a new solution for host mobility and multihoming in the Internet. HIP uses self-certifying public-private key pairs in combination with IPsec to authenticate hosts and protect user data. While there are three open-source HIP implementations, no experience is available with running HIP on lightweight hardware such as a PDA or a mobile phone. Limited computational power and battery lifetime of lightweight devices raises concerns if HIP can be used there at all. This paper presents performance measurements of HIP over WLAN on Nokia 770 Internet Tablet. It also provides comprehensive analysis of the results and makes suggestions on HIP suitability for lightweight clients.

Published

2007

41. Lightweight host and user authentication protocol for All-IP telecom networks.

Author

Pellikka, Jani, Gurtov, Andrei, and Faigl, Zoltan

Abstract

Future wireless networks are moving fast towards all-IP network architectures and mobile operators are expanding their services outside traditional cellular networks becoming multi-access operators. This lays stringent requirements on access security, where implementing consistent security policies over disparate radio accesses becomes a challenge. In this paper, we introduce a novel host and user authentication protocol based on a lightweight Host Identity Diet Exchange Protocol that extends the existing 3GPP user authentication architecture and reuses the standard Authentication and Key Agreement scheme. Furthermore, quantitative evaluation of an implementation and real deployment of our proposal along with an extensive analysis of security features is presented. Our measurements and analysis show that the proposal is a feasible lightweight authentication mechanism for mobile network use and it improves the security features of the original Diet Exchange. [ABSTRACT FROM PUBLISHER]

Published

2012

42. Analysis of the HIP base exchange protocol

Author

Andrei Gurtov, Aarthi Nagarajan, and Tuomas Aura

Subjects

Authentication, computer.internet_protocol, business.industry, Computer science, Internet layer, ComputingMethodologies_IMAGEPROCESSINGANDCOMPUTERVISION, Internet security, law.invention, Identifier, IP tunnel, Internet protocol suite, law, Internet Protocol, The Internet, Host Identity Protocol, business, Host (network), computer, Key exchange, Computer network

Abstract

The Host Identity Protocol (HIP) is an Internet security and multi-addressing mechanism specified by the IETF. HIP introduces a new layer between the transport and network layers of the TCP/IP stack that maps host identifiers to network locations, thus separating the two conflicting roles that IP addresses have in the current Internet. This paper analyzes the security and functionality of the HIP base exchange, which is a classic key exchange protocol with some novel features for authentication and DoS protection. The base exchange is the most stable part of the HIP specification with multiple existing implementations. We point out several security issues in the current protocol and propose changes that are compatible with the goals of HIP.

43. Applying a Cryptographic Namespace to Applications

Author

Andrei Gurtov, Sasu Tarkoma, Miika Komu, and Jaakko Kangasharju

Subjects

Telnet, Dynamic network analysis, File Transfer Protocol, business.industry, computer.internet_protocol, Computer science, computer.software_genre, Identifier, Operating system, Callback, Host Identity Protocol, Namespace, business, computer, Host (network), Computer network

Abstract

The Host Identity Protocol (HIP) is a promising solution for dynamic network interconnection. HIP introduces a namespace based on cryptographically generated Host Identifiers. In this paper, two different API variants for accessing the namespace are described, namely the legacy and the native APIs. Furthermore, we present our implementation experience on applying the APIs to a number of applications, including FTP, telnet, and personal mobility. Well-known problems of callbacks and referrals, i.e., passing the IP address within application messages, are considered for FTP in the context of HIP. We show that the callback problem is solvable using the legacy API. The APIs are important for easy transition to HIP-enabled networks. Our experimentation with well-known network applications indicate that porting applications to use the APIs is realistic.

44. Performance Analysis of HIP Diet Exchange for WSN Security Establishment

Author

Andrei Gurtov, Juho Vähä-Herttua, Pin Nie, and Tuomas Aura

Subjects

Engineering, Internet Draft, business.industry, computer.internet_protocol, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Interoperability, Cryptographic protocol, Key distribution in wireless sensor networks, Scalability, Host Identity Protocol, business, Communications protocol, Wireless sensor network, computer, Computer network

Abstract

Wireless Sensor Nodes are powered by limited batteries and equipped with constrained processor and memory. Therefore, security protocol must be highly efficient to fit WSNs. Meanwhile, considering the large variety of WSN applications and wide deployment, scalability and interoperability are two important concerns of adopting standardized communication protocols. HIP DEX, an IETF Internet draft, provides a generic solution to establish secure connections in WSNs. In this paper, we investigate the security features of HIP DEX based on several practical attack models. We evaluate the performance efficiency of HIP DEX in terms of energy consumption and computing latency on an experimental prototype. Our empirical results show that HIP DEX is applicable for resource constrained sensor nodes to establish hop-by-hop secure connection. In order to reinforce identity protection, we also propose tentative improvements to HIP DEX. Finally, we compare HIP DEX with SSL/TLS to highlight their respective advantages in different WSN architectures.

45. Lightweight authentication and key management of wireless sensor networks for Internet of things

Author

Porambage, P. (Pawani), Ylianttila, M. (Mika), and Gurtov, A. (Andrei)

Subjects

kevyt tietoturva, käyttäjäntunnistus, Internet of Things, avaimenmuodostus, key establishment, lightweight security, resource constrained devices, implisiittiset sertifikaatit, implicit certificates, group communication, authentication, resurssirajoitetut laitteet, esineiden internet, wireless sensor networks, Host Identity Protocol, langattomat sensoriverkot, ryhmäkommunikaatio

Abstract

The concept of the Internet of Things (IoT) is driven by advancements of the Internet with the interconnection of heterogeneous smart objects using different networking and communication technologies. Among many underlying networking technologies for the IoT, Wireless Sensor Network (WSN) technology has become an integral building block. IoT enabled sensor networks provide a wide range of application areas such as smart homes, connected healthcare, smart cities and various solutions for the manufacturing industry. The integration of WSNs in IoT will also create new security challenges for establishing secure channels between low power sensor nodes and Internet hosts. This will lead to many challenges in designing new key establishment and authentication protocols and redefining the existing ones. This dissertation addresses how to integrate lightweight key management and authentication solutions in the resource constrained sensor networks deployed in IoT domains. Firstly, this thesis elaborates how to exploit the implicit certificates to initiate secure End-to-End (E2E) communication channels between the resource constrained sensor nodes in IoT networks. Implicit certificates are used for authentication and key establishment purposes. The compliance of the security schemes is proven through performance evaluations and by discussing the security properties. Secondly, this dissertation presents the design of two lightweight group key establishment protocols for securing group communications between resource-constrained IoT devices. Finally, the thesis explores promising approaches on how to tailor the existing security protocols in accordance with IoT device and network characteristics. In particular, variants of Host Identity Protocol (HIP) are adopted for constructing dynamic and secure E2E connections between the heterogeneous network devices with imbalanced resource profiles and less or no previous knowledge about each other. A solutions called Collaborative HIP (CHIP) is proposed with an efficient key establishment component for the high resource-constrained devices on the IoT. The applicability of the keying mechanism is demonstrated with the implementation and the performance measurements results. Tiivistelmä Esineiden internet (IoT) on viime aikoina yleistynyt konsepti älykkäiden objektien (smart objects) liittämiseksi internetiin käyttämällä erilaisia verkko- ja kommunikaatioteknologioita. Olennaisimpia esineiden internetin pohjalla toimivia teknologioita ovat langattomat sensoriverkot (WSN), jotka ovat esineiden internetin perusrakennuspalikoita. Esineiden internetiin kytketyt langattomat sensoriverkot mahdollistavat laajan joukon erilaisia sovelluksia, kuten älykodit, etäterveydenhuollon, älykkäät kaupungit sekä älykkäät teollisuuden sovellukset. Langattomien sensoriverkkojen ja esineiden internetin yhdistäminen tuo mukanaan myös tietoturvaan liittyviä haasteita, sillä laskentateholtaan yleensä heikot anturit ja toimilaitteet eivät kykene kovin vaativiin tietoturvaoperaatioihin, joihin lukeutuvat mm. tietoturva-avaimen muodostus ja käyttäjäntunnistus. Tässä väitöskirjassa pyritään vastaamaan haasteeseen käyttämällä kevyitä avaimenmuodostus- ja käyttäjäntunnistusratkaisuja esineiden internetiin kytketyissä resurssirajoitetuissa sensoriverkoissa. Väitöstutkimuksessa keskitytään aluksi implisiittisten sertifikaattien käyttöön tietoturvallisten end-to-end-kommunikaatiokanavien alustamisessa resurssirajoitettujen sensori- ja muiden IoT-laitteiden välillä. Implisiittisiä sertifikaatteja käytetään käyttäjäntunnistuksessa sekä avaimenmuodostuksessa. Kehitettyjen ratkaisujen soveltuvuus tarkoitukseen osoitetaan suorituskykymittauksilla sekä vertaamalla niiden tietoturvaomi- naisuuksia. Seuraavaksi väitöskirjassa esitellään kaksi kevyttä ryhmäavaimenmuodostus- protokollaa tietoturvalliseen ryhmäkommunikaatioon resurssirajoitettujen IoT-laitteiden välillä. Lopuksi väitöskirjassa tarkastellaan lupaavia lähestymistapoja olemassa olevien tietoturvaprotokollien räätäläintiin IoT-laitteiden ja -verkkojen ominaisuuksille sopiviksi. Erityistä huomiota kiinnitetään Host Identity -protokollan (HIP) eri versioiden käyttöön dynaamisten ja tietoturvallisten end-to-end-yhteyksien luomiseen toisilleen ennestään tuntemattomien erityyppisten IoT-laitteiden välillä, joiden laitteistoresurssiprofiilit voivat olla hyvin erilaiset. Väitöskirjan keskeinen tulos on väitöskirjatyössä kehitetty Colla- borative HIP (CHIP) -protokolla, joka on resurssitehokas avaimenmuodostusteknologia resurssirajoitetuille IoT-laitteille. Kehitetyn teknologian soveltuvuutta tarkoitukseensa demonstroidaan prototyyppitoteutuksella tehtyjen suorituskykymittausten avulla.

Published

2018

46. Enhancing security and scalability of Virtual Private LAN Services

Author

Madhusanka Liyanage, Ylianttila, M. (Mika), and Gurtov, A. (Andrei)

Subjects

VPLS, verkon tietoturva, VPN-verkot, Software Defined Networking, network security, skaalautuvuus, Software-defined Networking (SDN), Host Identity Protocol, Spanning Tree Protocol, scalability, Virtual Private LAN Services, Virtual Private Networks

Abstract

Ethernet based VPLS (Virtual Private LAN Service) is a transparent, protocol independent, multipoint L2VPN (Layer 2 Virtual Private Network) mechanism to interconnect remote customer sites over IP (Internet Protocol) or MPLS (Multiprotocol Label Switching) based provider networks. VPLS networks are now becoming attractive in many Enterprise applications, such as DCI (data center interconnect), voice over IP (VoIP) and videoconferencing services due to their simple, protocol-independent and cost efficient operation. However, these new VPLS applications demand additional requirements, such as elevated security, enhanced scalability, optimum utilization of network resources and further reduction in operational costs. Hence, the motivation of this thesis is to develop secure and scalable VPLS architectures for future communication networks. First, a scalable secure flat-VPLS architecture is proposed based on a Host Identity Protocol (HIP). It contains a session key-based security mechanism and an efficient broadcast mechanism that increase the forwarding and security plane scalability of VPLS networks. Second, a secure hierarchical-VPLS architecture is proposed to achieve control plane scalability. A novel encrypted label-based secure frame forwarding mechanism is designed to transport L2 frames over a hierarchical VPLS network. Third, a novel Distributed Spanning Tree Protocol (DSTP) is designed to maintain a loop free Ethernet network over a VPLS network. With DSTP it is proposed to run a modified STP (Spanning Tree Protocol) instance in each remote segment of the VPLS network. In addition, two Redundancy Identification Mechanisms (RIMs) termed Customer Associated RIMs (CARIM) and Provider Associated RIMs (PARIM) are used to mitigate the impact of invisible loops in the provider network. Lastly, a novel SDN (Software Defined Networking) based VPLS (Soft-VPLS) architecture is designed to overcome tunnel management limitations in legacy secure VPLS architectures. Moreover, three new mechanisms are proposed to improve the performance of legacy tunnel management functions: 1) A dynamic tunnel establishment mechanism, 2) a tunnel resumption mechanism and 3) a fast transmission mechanism. The proposed architecture utilizes a centralized controller to command VPLS tunnel establishment based on real-time network behavior. Hence, the results of the thesis will help for more secure, scalable and efficient system design and development of VPLS networks. It will also help to optimize the utilization of network resources and further reduction in operational costs of future VPLS networks. Tiivistelmä Ethernet-pohjainen VPLS (Virtual Private LAN Service) on läpinäkyvä, protokollasta riippumaton monipisteverkkomekanismi (Layer 2 Virtual Private Network, L2VPN), jolla yhdistetään asiakkaan etäkohteet IP (Internet Protocol)- tai MPLS (Multiprotocol Label Switching) -yhteyskäytäntöön pohjautuvien palveluntarjoajan verkkojen kautta. VPLS-verkoista on yksinkertaisen protokollasta riippumattoman ja kustannustehokkaan toimintatapansa ansiosta tullut kiinnostavia monien yrityssovellusten kannalta. Tällaisia sovelluksia ovat esimerkiksi DCI (Data Center Interconnect), VoIP (Voice over IP) ja videoneuvottelupalvelut. Uusilta VPLS-sovelluksilta vaaditaan kuitenkin uusia asioita, kuten parempaa tietoturvaa ja skaalautuvuutta, optimaalista verkkoresurssien hyödyntämistä ja käyttökustannusten pienentämistä entisestään. Tämän väitöskirjan tarkoituksena onkin kehittää turvallisia ja skaalautuvia VPLS-arkkitehtuureja tulevaisuuden tietoliikenneverkoille. Ensin väitöskirjassa esitellään skaalautuva ja turvallinen flat-VPLS-arkkitehtuuri, joka perustuu Host Identity Protocol (HIP) -protokollaan. Seuraavaksi käsitellään istuntoavaimiin perustuvaa tietoturvamekanismia ja tehokasta lähetysmekanismia, joka parantaa VPLS-verkkojen edelleenlähetyksen ja tietoturvatason skaalautuvuutta. Tämän jälkeen esitellään turvallinen, hierarkkinen VPLS-arkkitehtuuri, jolla saadaan aikaan ohjaustason skaalautuvuus. Väitöskirjassa kuvataan myös uusi salattu verkkotunnuksiin perustuva tietokehysten edelleenlähetysmekanismi, jolla L2-kehykset siirretään hierarkkisessa VPLS-verkossa. Lisäksi väitöskirjassa ehdotetaan uuden Distributed Spanning Tree Protocol (DSTP) -protokollan käyttämistä vapaan Ethernet-verkkosilmukan ylläpitämiseen VPLS-verkossa. DSTP:n avulla on mahdollista ajaa muokattu STP (Spanning Tree Protocol) -esiintymä jokaisessa VPLS-verkon etäsegmentissä. Väitöskirjassa esitetään myös kaksi Redundancy Identification Mechanism (RIM) -mekanismia, Customer Associated RIM (CARIM) ja Provider Associated RIM (PARIM), joilla pienennetään näkymättömien silmukoiden vaikutusta palveluntarjoajan verkossa. Viimeiseksi ehdotetaan uutta SDN (Software Defined Networking) -pohjaista VPLS-arkkitehtuuria (Soft-VPLS) vanhojen turvallisten VPLS-arkkitehtuurien tunnelinhallintaongelmien poistoon. Näiden lisäksi väitöskirjassa ehdotetaan kolmea uutta mekanismia, joilla voidaan parantaa vanhojen arkkitehtuurien tunnelinhallintatoimintoja: 1) dynaaminen tunnelinluontimekanismi, 2) tunnelin jatkomekanismi ja 3) nopea tiedonsiirtomekanismi. Ehdotetussa arkkitehtuurissa käytetään VPLS-tunnelin luomisen hallintaan keskitettyä ohjainta, joka perustuu reaaliaikaiseen verkon käyttäytymiseen. Tutkimuksen tulokset auttavat suunnittelemaan ja kehittämään turvallisempia, skaalautuvampia ja tehokkaampia VLPS järjestelmiä, sekä auttavat hyödyntämään tehokkaammin verkon resursseja ja madaltamaan verkon operatiivisia kustannuksia.

Published

2016

47. Enhanced communication security and mobility management in small-cell networks

Author

Namal, S. (Suneth), Ylianttila, M. (Mika), and Gurtov, A. (Andrei)

Subjects

OpenFlow, mobile femtocells, mobiilit femtosolut, fast initial authentication, nopea alustava varmennus, software defined networking, authentication, OMNet++, ohjelmisto-ohjattu verkko, Host Identity Protocol, varmentaminen

Abstract

Software-Defined Networks (SDN) focus on addressing the challenges of increased complexity and unified communication, for which the conventional networks are not optimally suited due to their static architecture. This dissertation discusses the methods about how to enhance communication security and mobility management in small-cell networks with IEEE 802.11 backhaul. Although 802.11 has become a mission-critical component of enterprise networks, in many cases it is not managed with the same rigor as the wired networks. 802.11 networks are thus in need of undergoing the same unified management as the wired networks. This dissertation also addresses several new issues from the perspective of mobility management in 802.11 backhaul. Due to lack of built-in quality of service support, IEEE 802.11 experiences serious challenges in meeting the demands of modern services and applications. 802.11 networks require significantly longer duration in association compared to what the real-time applications can tolerate. To optimise host mobility in IEEE 802.11, an extension to the initial authentication is provided by utilising Host Identity Protocol (HIP) based identity attributes and Elliptic Curve Cryptography (ECC) based session key generation. Finally, this dissertation puts forward the concept of SDN based cell mobility and network function virtualization, its counterpart. This is validated by introducing a unified SDN and cognitive radio architecture for harmonized end-to-end resource allocation and management presented at the end. Tiivistelmä Ohjelmisto-ohjatut verkot (SDN) keskittyvät ratkaisemaan haasteita liittyen kasvaneeseen verkkojen monimutkaisuuteen ja yhtenäiseen kommunikaatioon, mihin perinteiset verkot eivät staattisen rakenteensa vuoksi sovellu. Väitöskirja käsittelee menetelmiä, joilla kommunikaation turvallisuutta ja liikkuvuuden hallintaa voidaan parantaa IEEE 802.11 langattomissa piensoluverkoissa. Vaikkakin 802.11 on muodostunut avainkomponentiksi yritysverkoissa, monissa tapauksissa sitä ei hallinnoida yhtä täsmällisesti kuin langallista verkkoa. 802.11 verkoissa on näin ollen tarve samantyyppiselle yhtenäiselle hallinnalle, kuin langallisissa verkoissa on. Väitöskirja keskittyy myös moniin uusiin liikkuvuuden hallintaan liittyviin ongelmiin 802.11 verkoissa. Johtuen sisäänrakennetun yhteyden laatumäärittelyn (QoS) puuttumisesta, IEEE 802.11 verkoille on haasteellista vastata modernien palvelujen ja sovellusten vaatimuksiin. 802.11 verkot vaativat huomattavasti pidemmän ajan verkkoon liittymisessä, kuin reaaliaikasovellukset vaativat. Työssä on esitelty laajennus alustavalle varmennukselle IEEE 802.11-standardiin isäntälaitteen liikkuvuuden optimoimiseksi, joka hyödyntää Host Identity Protocol (HIP)-pohjaisia identiteettiominaisuuksia sekä elliptisten käyrien salausmenetelmiin (ECC) perustuvaa istunnon avaimen luontia. Lopuksi työssä esitellään ohjelmisto-ohjattuihin verkkoihin pohjautuva solujen liikkuvuuden konsepti, sekä siihen olennaisesti liittyvä verkon virtualisointi. Tämä validoidaan esittelemällä yhtenäinen SDN:ään ja kognitiiviseen radioon perustuva arkkitehtuuri harmonisoidulle päästä päähän resurssien varaamiselle ja hallinnoinnille, joka esitellään lopussa.

Published

2014