Secure Wireless Networking

Adrian Perrig,Wade Trappe,Virgil Gligor,Radha Poovendran,이희조 한국통신학회 2009 Journal of communications and networks Vol.11 No.6

Coordination of Anti-Spoofing Mechanisms in Partial Deployments

안혁,이희조,Adrian Perrig 한국통신학회 2016 Journal of communications and networks Vol.18 No.6

Internet protocol (IP) spoofing is a serious problem onthe Internet. It is an attractive technique for adversaries who wishto amplify their network attacks and retain anonymity. Many approacheshave been proposed to prevent IP spoofing attacks; however,they do not address a significant deployment issue, i.e., filteringinefficiency caused by a lack of deployment incentives foradopters. To defeat attacks effectively, one mechanism must bewidely deployed on the network; however, the majority of the antispoofingmechanisms are unsuitable to solve the deployment issueby themselves. Each mechanism can work separately; however,their defensive power is considerably weak when insuffi-ciently deployed. If we coordinate partially deployed mechanismssuch that they work together, they demonstrate considerably superiorperformance by creating a synergy effect that overcomestheir limited deployment. Therefore, we propose a universal antispoofing(UAS) mechanism that incorporates existing mechanismsto thwart IP spoofing attacks. In the proposed mechanism, intermediaterouters utilize any existing anti-spoofing mechanism thatcan ascertain if a packet is spoofed and records this decision inthe packet header. The edge routers of a victim network can estimatethe forgery of a packet based on this information sent by theupstream routers. The results of experiments conducted with realInternet topologies indicate that UAS reduces false alarms up to84.5% compared to the case where each mechanism operates individually.

Coordination of Anti-Spoofing Mechanisms in Partial Deployments

An, Hyok,Lee, Heejo,Perrig, Adrian The Korea Institute of Information and Commucation 2016 Journal of communications and networks Vol.18 No.6

Internet protocol (IP) spoofing is a serious problem on the Internet. It is an attractive technique for adversaries who wish to amplify their network attacks and retain anonymity. Many approaches have been proposed to prevent IP spoofing attacks; however, they do not address a significant deployment issue, i.e., filtering inefficiency caused by a lack of deployment incentives for adopters. To defeat attacks effectively, one mechanism must be widely deployed on the network; however, the majority of the anti-spoofing mechanisms are unsuitable to solve the deployment issue by themselves. Each mechanism can work separately; however, their defensive power is considerably weak when insufficiently deployed. If we coordinate partially deployed mechanisms such that they work together, they demonstrate considerably superior performance by creating a synergy effect that overcomes their limited deployment. Therefore, we propose a universal anti-spoofing (UAS) mechanism that incorporates existing mechanisms to thwart IP spoofing attacks. In the proposed mechanism, intermediate routers utilize any existing anti-spoofing mechanism that can ascertain if a packet is spoofed and records this decision in the packet header. The edge routers of a victim network can estimate the forgery of a packet based on this information sent by the upstream routers. The results of experiments conducted with real Internet topologies indicate that UAS reduces false alarms up to 84.5% compared to the case where each mechanism operates individually.

Flexible, Extensible, and Efficient VANET Authentication

Ahren Studer,Fan Bai,Bhargav Bellur,Adrian Perrig 한국통신학회 2009 Journal of communications and networks Vol.11 No.6

Although much research has been conducted in the area of authentication in wireless networks, vehicular ad-hoc networks (VANETs) pose unique challenges, such as real-time constraints, processing limitations, memory constraints, frequently changing senders, requirements for interoperability with existing standards, extensibility and flexibility for future requirements, etc. No currently proposed technique addresses all of the requirements for message and entity authentication in VANETs. After analyzing the requirements for viable VANET message authentication, we propose a modified version of TESLA, TESLA++, which provides the same computationally efficient broadcast authentication as TESLA with reduced memory requirements. To address the range of needs within VANETs we propose a new hybrid authentication mechanism, VANET authentication using signatures and TESLA++ (VAST), that combines the advantages of ECDSA signatures and TESLA++. Elliptic curve digital signature algorithm (ECDSA) signatures provide fast authentication and non-repudiation, but are computationally expensive. TESLA++ prevents memory and computation-based denial of service attacks. We analyze the security of our mechanism and simulate VAST in realistic highway conditions under varying network and vehicular traffic scenarios. Simulation results show that VAST outperforms either signatures or TESLA on its own. Even under heavy loads VAST is able to authenticate 100% of the received messages within 107ms. VANETs use certificates to achieve entity authentication (i.e., validate senders). To reduce certificate bandwidth usage, we use Hu et al.’s strategy of broadcasting certificates at fixed intervals, independent of the arrival of new entities. We propose a new certificate verification strategy that prevents denial of service attacks while requiring zero additional sender overhead. Our analysis shows that these solutions introduce a small delay, but still allow drivers in a worst case scenario over 3 seconds to respond to a dangerous situation.

Flexible, Extensible, and Efficient VANET Authentication

Studer, Ahren,Bai, Fan,Bellur, Bhargav,Perrig, Adrian The Korea Institute of Information and Commucation 2009 Journal of communications and networks Vol.11 No.6

Although much research has been conducted in the area of authentication in wireless networks, vehicular ad-hoc networks (VANETs) pose unique challenges, such as real-time constraints, processing limitations, memory constraints, frequently changing senders, requirements for interoperability with existing standards, extensibility and flexibility for future requirements, etc. No currently proposed technique addresses all of the requirements for message and entity authentication in VANETs. After analyzing the requirements for viable VANET message authentication, we propose a modified version of TESLA, TESLA++, which provides the same computationally efficient broadcast authentication as TESLA with reduced memory requirements. To address the range of needs within VANETs we propose a new hybrid authentication mechanism, VANET authentication using signatures and TESLA++ (VAST), that combines the advantages of ECDSA signatures and TESLA++. Elliptic curve digital signature algorithm (ECDSA) signatures provide fast authentication and non-repudiation, but are computationally expensive. TESLA++ prevents memory and computation-based denial of service attacks. We analyze the security of our mechanism and simulate VAST in realistic highway conditions under varying network and vehicular traffic scenarios. Simulation results show that VAST outperforms either signatures or TESLA on its own. Even under heavy loads VAST is able to authenticate 100% of the received messages within 107ms. VANETs use certificates to achieve entity authentication (i.e., validate senders). To reduce certificate bandwidth usage, we use Hu et al.'s strategy of broadcasting certificates at fixed intervals, independent of the arrival of new entities. We propose a new certificate verification strategy that prevents denial of service attacks while requiring zero additional sender overhead. Our analysis shows that these solutions introduce a small delay, but still allow drivers in a worst case scenario over 3 seconds to respond to a dangerous situation.

Access Right Assignment Mechanisms for Secure Home Networks

Tiffany Hyun-Jin Kim,Lujo Bauer,James Newsome,Adrian Perrig,Jesse Walker 한국통신학회 2011 Journal of communications and networks Vol.13 No.2

The proliferation of advanced technologies has been altering our lifestyle and social interactions–the next frontier is the digital home. Although the future of smart homes is promising,many technical challenges must be addressed to achieve convenience and security. In this paper, we delineate the unique combination of security challenges specifically for access control and consider the challenges of how to simply and securely assign access control policies to visitors for home devices and resources. We present a set of intuitive access control policies and suggest four access control settings based on our in-person interview results. Furthermore,we propose the automated Clairvoyant access right assignment (CARA) mechanism that utilizes home owners’ social relationship to automatically deduce to which class a visitor belongs. The combination of CARA and the suggested mapping provides a promising first step for home policy assignment such that nonexpert home owners can let visitors use their home network with confidence. We anticipate that future research can build on our proposed mechanisms to provide confidence to non-expert home owners for letting visitors use their home network.

Access Right Assignment Mechanisms for Secure Home Networks

Kim, Tiffany Hyun-Jin,Bauer, Lujo,Newsome, James,Perrig, Adrian,Walker, Jesse The Korea Institute of Information and Commucation 2011 Journal of communications and networks Vol.13 No.2

The proliferation of advanced technologies has been altering our lifestyle and social interactions-the next frontier is the digital home. Although the future of smart homes is promising, many technical challenges must be addressed to achieve convenience and security. In this paper, we delineate the unique combination of security challenges specifically for access control and consider the challenges of how to simply and securely assign access control policies to visitors for home devices and resources. We present a set of intuitive access control policies and suggest four access control settings based on our in-person interview results. Furthermore, we propose the automated Clairvoyant access right assignment (CARA) mechanism that utilizes home owners' social relationship to automatically deduce to which class a visitor belongs. The combination of CARA and the suggested mapping provides a promising first step for home policy assignment such that nonexpert home owners can let visitors use their home network with confidence. We anticipate that future research can build on our proposed mechanisms to provide confidence to non-expert home owners for letting visitors use their home network.