Hop Integrity in the Internet (eBook)
XI, 112 Seiten
Springer US (Verlag)
978-0-387-29444-5 (ISBN)
Denial-of-service attacks are one of the most severe challenges confronting the online world. This ground-breaking volume discusses a new method of countering denial-of-service attacks called hop integrity. It details a suite of protocols for providing hop integrity. In particular, each protocol in this suite is specified and verified using an abstract and formal notation, called the Secure Protocol Notation. In addition, the book presents an alternative way to achieve strong hop integrity with hard sequence numbers.
Hop Integrity in the Internet introduces a new security defense, hop integrity, that can be used against denial-of-service attacks in the Internet. If a message that is part of a denial-of-service attack is originated by an adversarial host in the Internet and if the message header includes a wrong address for the originating host (in order to hide the true source of the attack), then the message will be classified as modified or replayed and will be discarded by the first router that receives the message in the Internet.A suite of protocols for providing hop integrity in the Internet is discussed in great detail. In particular, each protocol in the suite is specified and verified using an abstract and formal notation called the Secure Protocol Notation. The protocols include:- Secure address resolution - Weak hop integrity - Strong hop integrity using soft sequence numbers- Strong hop integrity using hard sequence numbersOther benefits of hop integrity extend to secure routing, mobile IP, and IP multicast.
Contents 7
Preface 9
Chapter 1 INTRODUCTION 12
Chapter 2 ABSTRACT PROTOCOL NOTATION 18
1. PROCESSES AND CHANNELS 18
2. CONSTANTS, VARIABLES, AND ACTIONS 19
3. STATE TRANSITION DIAGRAM 22
4. PROCESS ARRAYS, PARAMETERS, AND PARAMETERIZED ACTIONS 25
Chapter 3 ABSTRACT SECURE PROTOCOLS 28
1. ASSUMPTIONS ABOUT THE ADVERSARY 29
2. SECURITY KEYS 29
3. MESSAGE DIGESTS 31
4. NONCES 31
5. TIMEOUT ACTIONS 32
6. AN EXAMPLE PROTOCOL WITH SECURITY FEATURES 32
Chapter 4 DENIAL-OF-SERVICE ATTACKS 36
1. COMMUNICATION-STOPPING ATTACKS 37
2. RESOURCE-EXHAUSTING ATTACKS 39
Chapter 5 SECURE ADDRESS RESOLUTION PROTOCOL 42
1. ARCHITECTURE OF SECURE ADDRESS RESOLUTION 42
2. THE INVITE-ACCEPT PROTOCOL 46
3. THE REQUEST-REPLY PROTOCOL 52
4. EXTENSIONS 58
4.1 Insecure Address Resolution 59
4.2 A Backup Server 64
4.3 System Diagnosis 65
4.4 Serving Multiple Ethernets 65
Chapter 6 WEAK HOP INTEGRITY PROTOCOL 66
1. SECRET EXCHANGE PROTOCOL 67
2. WEAK INTEGRITY CHECK PROTOCOL 73
Chapter 7 STRONG HOP INTEGRITY USING SOFT SEQUENCE NUMBERS 78
1. SOFT SEQUENCE NUMBER PROTOCOL 78
2. STRONG INTEGRITY CHECK PROTOCOL 81
Chapter 8 STRONG HOP INTEGRITY USING HARD SEQUENCE NUMBERS 86
1. HARD SEQUENCE NUMBER PROTOCOL 87
2. A PROTOCOL WITH SAVE AND FETCH OPERATIONS 89
3. CONVERGENCE OF NEW HARD SEQUENCE NUMBER PROTOCOL 94
4. APPLICATION OF SAVE AND FETCH IN STRONG HOP INTEGRITY PROTOCOL 97
5. TRADEOFFS BETWEEN SOFT SEQUENCE NUMBERS AND HARD SEQUENCE NUMBERS 97
Chapter 9 IMPLEMENTATION CONSIDERATIONS 99
1. KEYS AND SECRETS 99
2. TIMEOUTS 100
3. SEQUENCE NUMBERS 100
4. MESSAGE OVERHEAD 102
Chapter 10 OTHER USES OF HOP INTEGRITY 104
1. MOBILE IP 104
2. SECURE MULTICAST 108
3. SECURITY OF ROUTING PROTOCOLS 111
3.1 Security of RIP 112
3.2 Security of OSPF 113
3.3 Security of RSVP 115
4. SECURITY IN AD HOC NETWORKS AND SENSOR NETWORKS 116
References 118
Index 122
Chapter 6 WEAK HOP INTEGRITY PROTOCOL (p. 55-56)
In this and the next two chapters, we present the hop integrity protocols. The hop integrity protocols belong to two thin layers, namely the secret exchange layer and the integrity check layer, that need to be added to the network layer of the protocol stack of each router in a network. The function of the secret exchange layer is to allow adjacent routers to periodically generate and exchange (and so share) new secrets. The exchanged secrets are made available to the integrity check layer, which uses them to compute and verify the integrity check for every data message transmitted between the adjacent routers.
Figure 6.1 shows the protocol stacks in two adjacent routers p and q. The secret exchange layer has one protocol: the secret exchange protocol. This protocol consists of the two processes pe and qe in routers p and q, respectively. The integrity check layer has two protocols: the weak integrity check protocol and the strong integrity check protocol. The weak version consists of the two processes pw and qw in routers p and q, respectively. This version can detect message modification, but not message replay. The strong version of the integrity check layer consists of the two processes ps and qs in routers p and q, respectively. This version can detect both message modification and message replay.
In this chapter, we present the weak hop integrity protocol, which is the combination of the secret exchange protocol and the weak integrity check protocol. In the next chapter, we present the strong hop integrity protocol, which is the combination of the secret exchange protocol and the strong integrity check protocol.
This chapter is organized as follows. First, we present the secret exchange protocol, and verify its correctness. Then, we present the weak integrity check protocol, and verify its correctness.
1. SECRET EXCHANGE PROTOCOL
In the secret exchange protocol, the two processes pe and qe maintain two shared secrets sp and sq. Secret sp is used by router p to compute the integrity check for each data message sent by p to router q, and it is also used by router q to verify the integrity check for each data message received by q from router p. Similarly, secret sq is used by q to compute the integrity checks for data messages sent to p, and it is used by p to verify the integrity checks for data messages received from q.
As part of maintaining the two secrets sp and sq, processes pe and qe need to change these secrets periodically, say every te hours, for some chosen value te. Process pe is to initiate the change of secret sq, and process qe is to initiate the change of secret sp. Processes pe and qe each has a public key and a private key that they use to encrypt and decrypt the messages.
| Erscheint lt. Verlag | 24.5.2006 |
|---|---|
| Reihe/Serie | Advances in Information Security | Advances in Information Security |
| Zusatzinfo | XI, 112 p. 17 illus. |
| Verlagsort | New York |
| Sprache | englisch |
| Themenwelt | Informatik ► Netzwerke ► Sicherheit / Firewall |
| Informatik ► Theorie / Studium ► Algorithmen | |
| Informatik ► Theorie / Studium ► Kryptologie | |
| Informatik ► Weitere Themen ► Hardware | |
| Naturwissenschaften | |
| Technik ► Nachrichtentechnik | |
| Schlagworte | HOP • Host • Internet • Online • Router • Routing • security |
| ISBN-10 | 0-387-29444-9 / 0387294449 |
| ISBN-13 | 978-0-387-29444-5 / 9780387294445 |
| Haben Sie eine Frage zum Produkt? |
PDF (Wasserzeichen)Größe: 5,2 MB
DRM: Digitales Wasserzeichen
Dieses eBook enthält ein digitales Wasserzeichen und ist damit für Sie personalisiert. Bei einer missbräuchlichen Weitergabe des eBooks an Dritte ist eine Rückverfolgung an die Quelle möglich.
Dateiformat: PDF (Portable Document Format)
Mit einem festen Seitenlayout eignet sich die PDF besonders für Fachbücher mit Spalten, Tabellen und Abbildungen. Eine PDF kann auf fast allen Geräten angezeigt werden, ist aber für kleine Displays (Smartphone, eReader) nur eingeschränkt geeignet.
Systemvoraussetzungen:
PC/Mac: Mit einem PC oder Mac können Sie dieses eBook lesen. Sie benötigen dafür einen PDF-Viewer - z.B. den Adobe Reader oder Adobe Digital Editions.
eReader: Dieses eBook kann mit (fast) allen eBook-Readern gelesen werden. Mit dem amazon-Kindle ist es aber nicht kompatibel.
Smartphone/Tablet: Egal ob Apple oder Android, dieses eBook können Sie lesen. Sie benötigen dafür einen PDF-Viewer - z.B. die kostenlose Adobe Digital Editions-App.
Zusätzliches Feature: Online Lesen
Dieses eBook können Sie zusätzlich zum Download auch online im Webbrowser lesen.
Buying eBooks from abroad
For tax law reasons we can sell eBooks just within Germany and Switzerland. Regrettably we cannot fulfill eBook-orders from other countries.
aus dem Bereich
