Một giải pháp quản lý kết nối mật cho IPSec trên FPGA

Tóm tắt—IPSec (Internet Protocol Security) là bộ giao thức an toàn nhằm bảo vệlưu lượng dữ liệu qua mạng Internet. Mỗi kết nối mật trong mô hình triển khai IPSec có một bộ thuật toán, tham số bảo mật riêng. Để đảm bảo các kết nối mật hoạt động ổn định trong môi trường truyền tin với băng thông lớn, việc quản lý nhiều kết nối mật đồng thời trên thiết bị IPSec đóng vai trò vô cùng quan trọng. Do tính phức tạp của quá trình quản lý, thông thường vấn đề này được thực hiện bằng phần mềm trên hệđiều hành. Giải pháp này bị hạn chế do quá trình trao đổi dữ liệu giữavi mạch Field Programmable Gate Array (FPGA) và bộ vi xử lý. Trong bài viết này, nhóm tác giả đưa ra một giải pháp tổ chức, quản lý kết nối mật sau khi sử dụng giao thức Internet Key Exchange (IKE) để trao đổi khóa cho IPSec trên FPGA sử dụng ngôn ngữ mô tả phần cứng, nhằm đáp ứng yêu cầu tốc độ cao với nhiều kết nối.Abstract—IPSec (Internet Protocol Security) is a secure protocol aiming to protect data traffic via the Internet. There is a separate set of algorithms and security parameters in each secure connection in the IPSec deployment model. In order to ensure stable connections in high-bandwidth environments, managing multiple secure connections simultaneously on IPSec devices holds a significant role. Due to the complexity of the management process, this is commonly done by software on the operating system. This solution is restricted due to data exchange between field-programmable gate array (FPGA) and microprocessor. In this article, a solution was proposed to organize and manage a confidential connection after using Internet Key Exchange (IKE) to exchange keys for IPSec directly using hardware description language on FPGA, aiming to meet high-speed requirements with many connections.

Formal Security Evaluation and Improvement of Wireless HART Protocol in Industrial Wireless Network

With the rapid development of wireless communication technology in the field of industrial control systems, Wireless HART is an international wireless standard, because of its low cost and strong scalability, as well as its wide range of applications in the industrial control field. However, it is more open communication so that the possibility of increased attacks by external. At present, there are many types of research on wireless protocol security at home and abroad, but they all focus on the realization of the security function of the protocol itself, which has certain limitations for the formal modeling of the protocol security assessment. Taking into account the aforementioned research status, this paper takes the Wireless HART protocol as the research object and adopts the model detection method combining eCK model theory and colored Petri net theory to evaluate and improve the security of the protocol. First, the colored Petri net theory and CPN Tools modeling tool were introduced to verify the consistency of the original model of the protocol. And the eCK model was used to evaluate the security of the original protocol model. It was found that the protocol has two types of man-in-the-middle attack vulnerabilities: tampering and deception. Aiming at the attack loopholes of the protocol, an improvement plan was proposed. After improving the original protocol, CPN Tools modeling tool was used for security verification. It was found that the new scheme improvement can effectively prevent the existing attacks and reasonably improve the security of the protocol.

A Quantum Dual-Signature Protocol Based on SNOP States without Trusted Participant

Quantum dual-signature means that two signed quantum messages are combined and expected to be sent to two different recipients. A quantum signature requires the cooperation of two verifiers to complete the whole verification process. As an important quantum signature aspect, the trusted third party is introduced to the current protocols, which affects the practicability of the quantum signature protocols. In this paper, we propose a quantum dual-signature protocol without arbitrator and entanglement for the first time. In the proposed protocol, two independent verifiers are introduced, here they may be dishonest but not collaborate. Furthermore, strongly nonlocal orthogonal product states are used to preserve the protocol security, i.e., no one can deny or forge a valid signature, even though some of them conspired. Compared with existing quantum signature protocols, this protocol does not require a trusted third party and entanglement resources.

Marine Network Protocols and Security Risks

Marine network protocols are domain-specific network protocols that aim to incorporate particular features within the specialized marine context that devices are implemented in. Devices implemented in such vessels involve critical equipment; however, limited research exists for marine network protocol security. In this paper, we provide an analysis of several marine network protocols used in today’s vessels and provide a classification of attack risks. Several protocols involve known security limitations, such as Automated Identification System (AIS) and National Marine Electronic Association (NMEA) 0183, while newer protocols, such as OneNet provide more security hardiness. We further identify several challenges and opportunities for future implementations of such protocols.

Improved Pohlig - Hellman using Sieve of Eratosthenes for Three-Pass Protocol Security Enhancement

Password-based is widely used as an exchange model in many areas such as smartphones, computers and other devices in which the keys are directly distributed to the recipients. Therefore, the implementation of cryptographic protocols without key exchange remains an undesirable area. The three-pass protocol is an instrument that enables sender and receiver to send encrypted data without any of the keys being transmitted to recipients. Furthermore, this process eliminates key exchange between senders and recipients when there is three ways direct communication using their own key.

Resource and timing aspects of security protocols

Protocol security verification is one of the best success stories of formal methods. However, some aspects important to protocol security, such as time and resources, are not covered by many formal models. While timing issues involve e.g., network delays and timeouts, resources such as memory, processing power, or network bandwidth are at the root of Denial of Service (DoS) attacks which have been a serious security concern. It is useful in practice and more challenging for formal protocol verification to determine whether a service is vulnerable not only to powerful intruders, but also to resource-bounded intruders that cannot generate or intercept arbitrarily large volumes of traffic. A refined Dolev–Yao intruder model is proposed, that can only consume at most some specified amount of resources in any given time window. Timed protocol theories that specify service resource usage during protocol execution are also proposed. It is shown that the proposed DoS problem is undecidable in general and is PSPACE-complete for the class of resource-bounded, balanced systems. Additionally, we describe a decidable fragment in the verification of the leakage problem for resource-sensitive timed protocol theories.

Virtual Private Network Flow Detection in Wireless Sensor Networks using Machine Learning Techniques

Background: Every organization generally uses a VPN service individually to leather the actual communication. Such communication is actually not allowed by organization monitoring network. But these institutes are not in a position to spend huge amount of funds on secure sockets layer to monitor traffic over their computer networks. Objective: Our work suggests simple technique to block or detect annoying VPN clients inside the network activities. This method does not requires the network to decrypt or even decode any network communication. Method: The proposed solution selects two machine learning techniques Feature Tree and K-means as classifiction techniques which work on time related features. First, the DNS mapping with the ordinary characteristic of the transmission control protocol / internet protocol computer network stack is identified and it is not to be considered as a normal traiffic flow if the domain name information is not available. The process also examines non-standard utilization of hyper text transfer protocol security and also conceal such communication from hyper text transfer protocol security dependent filters in firewall to detect as anomaly in largely. Results: we define the trafic flow as normal trafic flow and VPN traffic flow. These two flows are characterized by taking two machine learning techniques Feature Tree and K-means. We have executed each experment 4 times. As a result, eight types of regular traffics and eight types of VPN traffics were represented. Conclusion: Once trafic flow is identified, it is classified and studied by machine learning techniques. Using time related features, the traffic flow is defined as normal flow or VPN traffic flow.