Closed

This project has closed down, and all project members have left the University.

Recent Accomplishments in Software for Network Security

The research described here is performed at the Department of Computer Science University of Arizona, Tucson Arizona.


Our x-kernel Linux IPSEC release.

Our 1996 summary report for DARPA/ITO.

Our participation in the Crystal City DARPA OS-Security PI meeting in May, 1996.

Our participation in the San Antonio ARPA OS PI meeting in February, 1996.


Modular Software for Secure Protocol Suites

[]

Attacks against Internet hosts arise at all levels of the software, from exploiting bugs in application services to corruption of routing tables and misrepresentation of packet sources. Our graphic illustrates how host machines (symbolized by saguaros, a vegetation unique to the climate zone of our research location) communicate at these different service levels. Our software enhances the services with protections appropriate to the service, and these enhancements are illustrated by colored software modules on the host machines. The enhancements are hierarchically dependent and are protective against network attacks (lightening bolts).

We are developing a broad spectrum approach to securing the Internet, an approach that allows the introduction of carefully tailored security software to enhance the protocols that underly the Internet infrastructure. Our software is modular, reusable, highly configurable, and is being demonstrated in four key areas of immediate interest to Internet users:

Data Authentication, Privacy, and Integrity
We have a prototype of the Internet Packet protocol that uses our cryptographic protocol library to ensure host-to-host integrity and authentication, and optionally privacy. This low-level service is used as the basis for authentication and access control decisions by higher layers, and is easily configurable.

The cryptographic library is indicated by the red modules in the illustration. The packet protection service is the green ribbon and the software module implementing it shown by the green boxes.

[Orm95] Hilarie Orman, Evolving an Implementation of a Network Level Security Protocol.

Application Security: remote login
The privacy of passwords on the Internet has been called into question in recent months, and several protection methods are available. Our contribution is a version of the login protocol that allows mutually trusting hosts to establish their identities securely via the protocol described above and negotiate "password free" logins for trusted users. The trust configuration can be set by site administrators.

This level of service is indicated by the fuschia ribbon in the illustration.

Routing Table Interity and Access Control: membership lists.
The integrity of routing tables is essential to the security of networks, and a virtual subnetwork of mutually trusting packet routers must be established in order to guarantee packet delivery. By building on the host authentication services provided in the first item, we have been able to create a simple protocol for securely maintaining and sharing membership lists. This is being incorporated into a guard protocol that adds security features to an existing routing protocol without changing its implementation. This guard technique will be developed into a generic method for adding security layers to protocols that assume peer authentcation.

The membership management is illustrated by the blue ribbon linking the central "hosts" in the illustration.

Scalable Key Management.
Cryptographic keys underly almost all security features in large-scale networks, and we are following several active proposals for large-scale key management schemes by prototyping the methods with working code. These are being used in conjunction with the packet protection scheme, and our timing results are being shared and compared with other researchers on an almost daily basis.

[OrmOak96] Hilarie Orman, The Oakley Key Exchange Protocol (an IETF draft).

[Schr95] R. Schroeppel, H. Orman, S. O'Malley, and O. Spatscheck. Fast Key Exchange with Elliptic Curve Systems. In Advances in Cryptology -- Crypto '95, Santa Barbara, California, Aug. 1995.

[Nahum95isoc] E. Nahum, D. Yates, R. Schroeppel, H. Orman, and S. O'Malley. Towards High Performance Cryptographic Software. To appear in Proceedings of the ISOC Secure Networks and Distributed Systems Symposium, San Diego, California, Feb. 1996.

An overview of this project is available. Current highlights of this project also maintained.

Publications:

[Orma94]
H. Orman, S. O'Malley, R. Schroeppel, and D. Schwartz. Paving the road to network security, or the value of small cobblestones. In Proceedings of the 1994 Internet Society Symposium on Network and Distributed System Security, Feb. 1994.
[Kim95]
G. Kim, H. Orman, S. O'Malley. Implementing a Secure rlogin Environment: A Case Study of Using a Secure Network Layer Protocol. In Proceedings of the 5th USENIX Unix Security Symposium, June 1995.
[Sch95]
R. Schroeppel, H. Orman, S. O'Malley, O. Spatscheck. Fast Key Exchange with Elliptic Curve Systems. In Proceeding of Crypto 95, August 1995.
[Nah95]
Erich Nahum, Sean O'Malley, Hilarie Orman, Richard Schroeppel. Towards High Performance Cryptographic Software. In Third IEEE Workshop on the Architecture and Implementation of High Performance Communication Subsystems (HPCS'95). August 1995.
[isoc96]
Erich Nahum, David Yates, Sean O'Malley, Richard Schroeppel, Hilarie Orman. Parallelized Network Security Protocols. 1996 ISOC Symposium on Network and Distributed System Security.

Please contact Larry Peterson (llp@cs.arizona.edu) regarding further information about this research or the WWW page itself.


Last modified: Sun May 9 12:16:23 MST 1999