Closed
This project has closed down, and all project members have left the
University.
Recent Accomplishments in Software for Network Security
The research described here is performed at the Department of
Computer Science University of Arizona, Tucson Arizona.
Our x-kernel Linux IPSEC release.
Our 1996 summary report for DARPA/ITO.
Our participation in the Crystal City
DARPA OS-Security PI meeting in May, 1996.
Our participation in the San Antonio ARPA OS
PI meeting in February, 1996.
Modular Software for Secure Protocol Suites
Attacks against Internet hosts arise at all levels of the
software, from exploiting bugs in application services to corruption
of routing tables and misrepresentation of packet sources. Our
graphic illustrates how host machines (symbolized by saguaros, a
vegetation unique to the climate zone of our research location)
communicate at these different service levels. Our software enhances
the services with protections appropriate to the service, and these
enhancements are illustrated by colored software modules on the host
machines. The enhancements are hierarchically dependent and are
protective against network attacks (lightening bolts).
We are developing a broad spectrum approach to securing the
Internet, an approach that allows the introduction of carefully
tailored security software to enhance the protocols that underly the
Internet infrastructure. Our software is modular, reusable, highly
configurable, and is being demonstrated in four key areas of immediate
interest to Internet users:
- Data Authentication, Privacy, and Integrity
- We have a prototype of the Internet Packet protocol that uses our
cryptographic protocol library to ensure host-to-host integrity and
authentication, and optionally privacy. This low-level service is
used as the basis for authentication and access control decisions by
higher layers, and is easily configurable.
The cryptographic library is indicated by the red modules in the
illustration. The packet protection service is the green ribbon and
the software module implementing it shown by the green boxes.
[Orm95]
Hilarie Orman, Evolving an Implementation of a Network Level Security
Protocol.
- Application Security: remote login
- The privacy of passwords on the Internet has been called into
question in recent months, and several protection methods are
available. Our contribution is a version of the login protocol that
allows mutually trusting hosts to establish their identities securely
via the protocol described above and negotiate "password free" logins
for trusted users. The trust configuration can be set by site
administrators.
This level of service is indicated by the fuschia ribbon in the
illustration.
- Routing Table Interity and Access Control: membership lists.
- The integrity of routing tables is essential to the security of
networks, and a virtual subnetwork of mutually trusting packet routers
must be established in order to guarantee packet delivery. By building
on the host authentication services provided in the first item, we have
been able to create a simple protocol for securely maintaining and sharing
membership lists. This is being incorporated into a guard protocol that
adds security features to an existing routing protocol without changing
its implementation. This guard technique will be developed into a generic
method for adding security layers to protocols that assume peer authentcation.
The membership management is illustrated by the blue ribbon linking the
central "hosts" in the illustration.
- Scalable Key Management.
- Cryptographic keys underly almost all security features in
large-scale networks, and we are following several active proposals
for large-scale key management schemes by prototyping the methods with
working code. These are being used in conjunction with the packet
protection scheme, and our timing results are being shared and
compared with other researchers on an almost daily basis.
[OrmOak96] Hilarie Orman, The Oakley Key
Exchange Protocol (an IETF draft).
[Schr95] R. Schroeppel, H. Orman,
S. O'Malley, and O. Spatscheck. Fast Key Exchange with Elliptic Curve
Systems. In Advances in Cryptology -- Crypto '95, Santa
Barbara, California, Aug. 1995.
[Nahum95isoc] E. Nahum, D. Yates,
R. Schroeppel, H. Orman, and S. O'Malley. Towards High Performance
Cryptographic Software. To appear in Proceedings of the ISOC
Secure Networks and Distributed Systems Symposium, San Diego,
California, Feb. 1996.
An overview of this project is available. Current highlights of this project also maintained.
Publications:
-
[Orma94]
- H. Orman, S. O'Malley, R. Schroeppel, and D. Schwartz. Paving the
road to network security, or the value of small cobblestones. In
Proceedings of the 1994 Internet Society Symposium on Network and
Distributed System Security, Feb. 1994.
- [Kim95]
- G. Kim, H. Orman, S. O'Malley. Implementing a Secure rlogin
Environment: A Case Study of Using a Secure Network Layer Protocol.
In Proceedings of the 5th USENIX Unix Security Symposium,
June 1995.
-
[Sch95]
- R. Schroeppel, H. Orman, S. O'Malley, O. Spatscheck. Fast Key
Exchange with Elliptic Curve Systems. In Proceeding of Crypto
95, August 1995.
- [Nah95]
- Erich Nahum, Sean O'Malley, Hilarie Orman, Richard Schroeppel.
Towards High Performance Cryptographic Software. In Third IEEE
Workshop on the Architecture and Implementation of High Performance
Communication Subsystems (HPCS'95). August 1995.
- [isoc96]
- Erich Nahum, David Yates, Sean O'Malley, Richard Schroeppel,
Hilarie Orman. Parallelized Network Security Protocols. 1996 ISOC
Symposium on Network and Distributed System Security.
Please contact Larry Peterson (llp@cs.arizona.edu) regarding
further information about this research or the WWW page itself.
Last modified: Sun May 9 12:16:23 MST 1999