Research Interests

• network security
• security protocol engineering
• security of mobility protocols
• privacy of network users
• denial-of-service resistance

Short bio

I received a Master’s degree with major in theoretical computer science from Helsinki University of Technology (TKK), Finland,in 1995 and a doctoral degree in 2000. My thesis was on authorization and availability in distributed systems. Since then, I’ve been working as a researcher in the security group at Microsoft Research in Cambridge, UK. My research interests are around network security, mobility, privacy, and denial-of-service. I enjoy teaching and give courses on security at TKK, where I was appointed a professor in 2008, and at University College London (UCL).

Selected projects

Infrastructureless security for Internet mobility and IPv6

Like all new technologies, mobility creates new security issues. If location updates are not authenticated, attackers could spoof them in order to cause denial of service or to hijack data and connections. The challenge in Internet protocols, such as Mobile IPv6, is that there is no global security infrastructure (e.g., PKI or AuC) for the authentication. We developed routing-based infrastructureless authentication solutions that prevent spoofing of location information. We also discovered the so-called bombing attack, a packet-flooding attack in which the attacker redirects data streams to the target by telling the sender that it has moved to the target address.Similar problems appear in almost any mobility and multihoming solution for the Internet. Our return-routability protocol is now part of the Mobile IPv6 standard and has become the baseline security solution for new mobility protocols.

Mobile nodes often roam on insecure local links where some nodes may be malicious. The secure neighbor discovery (SEND) for IPv6 prevents some common on-link attacks (e.g., ND spoofing, the IPv6 equivalent of ARP spoofing). The protocol uses cryptographically generated addresses (CGA), which include a hash of the computer's public key in the interface-identifier part of the IPv6 address. (See also the RFC.) Since the interface identifier only has about 62 bits available for the hash, the mechanism could be vulnerable to brute-force attacks. For this reason, I developed the idea of hash extension, which almost magically stuffs >64 hash bits into <64 bits.

Privacy implications of mobility and other new services

New communications technology always has implications for the privacy users. One such question is whether mobile computer users can move around anonymously. We looked at the issue of location privacy from the point of view of casual observers at the access link. Network chatter, in particular failed attempts to connect to services that are not available on the current link, reveals a lot of information about the user identity and affiliations. The chatter originates from all layers of the protocol stack and from so many different applications that there is no simple way to prevent it. We suggest the following policy: computers should discover or connect to services automatically only when they can identify the network and knows that the service is available on that network. This requires a secure mechanism for recognizing networks, such as our secure network location awareness protocol, which is based on public-key authentication of DHCP servers. The algorithms that we used to detect and analyze network chatter were also useful for detecting PII leaks in digital documents.

IPsec and distributed security policies

The IPsec security architecture has been designed mainly for VPN tunnels, yet it is often assumed that it can be used for all authentication and confidentiality requirements that ever arise in the Internet. When transport-mode IPsec was deployed at Microsoft, we found that it is not easy to configure IPsec for host-to-host protection. Initially, we wanted to find easier, compositional ways of specifying security policies. It turns out, however, that there are fundamental problems with the IPsec architecture. Indeed, my current understanding is that security should not and cannot be implemented as a transparent layer deep in the protocol stack because each protocol layer and application has different security requirements, inluding different identifiers and roots of trust for authentication.

Teaching network security

I teach network security at Department of Computer Science and Engineering, Helsinki University of Technology (TKK) and at University College London (UCL). The slides below are from my lectures at TKK and UCL. Note that slide sets 1-10 are in logical order, the later ones pretty much independent. Feel free to use these as the basis for your own lectures. Email me for the PowerPoint files. (Slides last updated in December 2008.)

Publications

Most of my publications are available online (with abstracts).