Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Designing secure Internet protocols

This page summarized research on the design of secure networking protocols in the Security Group at Microsoft Research, UK.

DoS attacks against routing in mobility protocols

(Tuomas Aura)

We discovered and implemented a denial-of-service attack against mobility protocols that use a forwarding agent, such as Mobile IP and NEMO. The attack works by connecting two or more forwarding agents into a loop. In experiments, a slow stream of data (<100 B/s) a sent to one of the agents results in exhaustion of their network bandwidth when the data is amplified in the loop. In the worst case, a single packet can cause network outage lasting minutes. Interestingly, this obviously fatal DoS attack was not even discussed during the specification of the protocols because it falls outside the used threat model. We also identified and are evaluating potential countermeasures. This work was done together with Shah Mahmood at UCL. The attack implementation was his Master’s thesis project.

Analysis of security protocols

Client puzzle(Tuomas Aura, Michael Roe)

New network and security protocols need to be analyzed for vulnerabilities, in particular, if they introduce new technical ideas. The host identity protocol HIP aims to change the Internet architecture and it uses several relatively new features in the key exchange. We analyzed a draft of the protocol. But flaws are not only found in new protocols. Microsoft was one of the first organizations to deploy host-to-host (transport-mode) IPsec to its intranet. We report the fundamental architectural issues that were found during that process, some of which may push a wider deployment of host-to-host IPsec to distant future.

Host-to-host IPsecTuomas Aura, Aarthi Nagarajan, and Andrei Gurtov. Analysis of the HIP Base Exchange Protocol. In proceedings of 10th Australasian Conference on Information Security and Privacy (ACISP 2005), Brisbane, Australia, July 2005.

Tuomas Aura, Michael Roe and Anish Mohammed. Experiences with Host-to-Host IPsec Security Protocols, 13th International Workshop on Security Protocols, Cambridge, UK, April 2005.

Cryptographically Generated Addresses

(Tuomas Aura, Michael Roe, Greg O’Shea)

Cryptographically generated addresses (CGA) are IPv6 addresses where up to 64 address bits are generated by hashing the address owner's public key. The address owner uses the corresponding private key to assert address ownership and to sign messages sent from the address without a PKI or other security infrastructure. The CGA-based authentication can be used to protect IP-layer signaling protocols including neighbor discovery and mobility protocols. It can also be used for key exchange in opportunistic IPSec. The idea of hashing CGA idea originated in a paper on child-proof authentication for Mobile IPv6 (CAM). It was standardized in RFC 3972 and used for the secure neighbor discovery protocol.

CGA generationTuomas Aura. Cryptographically Generated Addresses (CGA). In Proc. 6th Information Security Conference (ISC'03), volume 2851 of LNCS, pages 29-43, Bristol, UK, October 2003. Springer.

Tuomas Aura. Cryptographically Generated Addresses (CGA). RFC 3972, IETF, March 2005.

Tuomas Aura, Michael Roe. Hash extension. Unpublished manuscipt 2006.

Security of Internet mobility

(Tuomas Aura, Michael Roe, Greg O’Shea)

Mobile IPv6In the Mobile IPv6 protocol, the mobile node sends binding updates to its correspondents to inform them about its current location. This location information must be authenticated but traditional authentication mechanisms, such as PKI, do not work well between arbitrary Internet nodes. We have studied "infrastructureless" protection mechanisms that do not need any new security infrastructure. We also identified previously unknown threats created by location management that go beyond unauthentic location data. In particular, the attacker can redirect data to bomb third parties and induce unnecessary authentication. Our threat analysis and assessment of the defense mechanisms formed the basis for the design of a secure location management protocol for the standard Mobile IPv6 protocol. Many of the same threats should be considered when designing any location management mechanism for open networks, including mobility or multihoming in the transport layer.

Tuomas Aura and Michael Roe. Designing the Mobile IPv6 Security Protocol. Annals of telecommunications, volume 61 number 3-4, March-April 2006. Also appeared as MSR-TP-2006-42.

Tuomas Aura, Pekka Nikander and Gonzalo Camarillo. Effects of Mobility and Multihoming on Transport-Protocol Security. In Proc. 2004 IEEE Symposium on Security and Privacy (SSP'04), Berkeley, CA USA, May 2004. IEEE Computer Society.

WLAN mobilityWe also optimized the wireless LAN handover protocol:

Tuomas Aura and Michael Roe. Reducing Reauthentication Delay in Wireless Networks. In proceedings of IEEE SecureComm 2005, Athens, Greece, September 2005.