Scurit dans les rseaux

1
Sécurité dans les réseaux

• Hossam Afifi, Groupe Mobilité et Sécurité

2
Petit rappel la sécurité dans les réseaux de
données
S-MIME S-HTTP PGP SET IPSEC (ISAKMP)
?
E2E
Applications
TCP/UDP (Transport)
SSL SOCKS V5
E2E
IP (Réseau)
G2G
IPSEC (AH,ESP)
L2TP/PPP PPTP/PPP (Liaison de Donnée)
CHAP, MS-CHAP PAP, MPPE
P2P
3
Le projet ESTER

• Projet ANR démarré en 2007
• Objectif réaliser la personnalisation du routage
  par des cartes à puce
• Une partie de la sécurité est effectuée dans la
  carte à puce

4
Architecture
5
Deux contributions

• Une solution pour le routage intra (ospf)
• La carte signe à la place du routeur
• La carte établit un tunnel pour acheminer
  lauthentification
• Tous les mots de passe/certificats restent dans
  la carte
• Une solution de routage inter (BGP)
• La carte se charge de lauthentification
• On propose des solutions basées sur identity
  Based Encryption

6
1-1. Introduction

• Physical layer security can be classified in
  three categories
• Power approach (power allocation,
  beamforming)
• Channel approach ( information theory)
• Code approach (scrambling ..etc)

Where can the physical layer security be applied ?
7
1-2. Introduction

• Our approach trigers the physical layer
  encryption
• Key Stream Encryption.
• Block cipher is the keystream generator

• Why the physical layer encryption?
• For preventing the maximum of attacks or making
  them more difficult
• It is much more difficullt to build lower layer
  analyser.
• implementing security at hardware level provides
  manufacturers
• with much efficiency and flexibility in
  terms of implementation design
• and technologies.

8
2. Literature survey

• The security on the CDMA systems
• Users signal is spread using a (Channelization
  code) and then it is scrambled.
• ?Scrambling code
  Channelization code The built in security.
• The built in security relies on the use of LFSR
  (42 bits) and a long code mask
• (42 bits).
• This security solution is not
  sufficient.

• 1 enhaces the built in security by usin AES in
  the scrambling process
• Good approach but the frames size to be
  encrypted is not defined.

• 2 enhaces the built in security by usin AES in
  the interleaving process
• The computational complexity becomes a
  significant problem for the receivers

• 3 uses a self synchronisation architecture
  using a special sync pattern
• One lost bit in the sync pattern ?
  synchronisation is lost

9
3-1. Our approach

• We apply the encryption just after the encoding
  process
• OFB (Output Feedback Mode) is used as an
  encryption mode.
• AES takes the role of the encryption cipher

• Advantages of using this architecture
• OFB does not propagate the errors 1 error
  occured in the
• propagation channel produces only 1 error
  after the decryption
• process.( it is not the case with CFB and
  CBC modes)
• OFB does not affect the functionality of the
• Encoder/Decoder block.
• AES is robust an known enough and can be
• implemented in hardware.

10
3-2. Our approach
Application feild

• Our architecture can be applied for High Data
  Rate (HDR) and Low Data
• Rate (LDR) devices in wireless and wired
  communication systems.
• implementing this solution in LDR devices is
  valuable because
• 1) Legacy protocls are very heavy to be
  implemented in these devices.
• 2) Some kinds of LDR devices dont have
  upper layers.
• 3) LDR devices require minimal security
  implementation with a low cost.

11
Example of application

• This example is targeting MAGNET LDR
  architecture.
• - MAGNET LDR architecture relies on
  the use of 802.15.4 MAC layer.
• - We modify MAGNET physical layer
  architecture in order to insert the
• encryption process.
• - CSMA-CA is the used mechanism to
  access the medium.
• - The Key and the IV are registered in
  the software/hardware interface.
• - The framing block is the responsable
  part of constructing the final frame.
• We apply this example for sensor network in star
  topology.

12
MAGNET architecture for LDR devices
Dotted lines represent our propsal
13

• To avoid the excessive power consumption, An
  identification mechanism is
• defined.
• Each node has a Physical Layer Security
  Association Identifiers (PHSAid)
• This mechanism gives the receiver the
  possibility to identify the sender .

14
Information theoretic security

• Based on your precise location
• You obtain a unique code
• The code is first used as a challenge
• It is a proof of non presence of MiM
• The system is applicable to wireless protocols
  such as Wifi Hotspots

15
Federation concept

• A federation is a group of users that share one
  same access control profile
• The federation is based on a manager that
  allocates rights and permissions to its resources
  and manages rights to others resources
• A federation is not a group communication

16
A simple example
Three distinct domains with their own
credentials the federation aims at
sharing these resources
17
The architecture
18
Two novel approaches

• Self signed certificates
• Linked by a pairing protocol
• A novel group key hierarchy to allocate keys
• Keys are updated on every change in the federation

19
Key hierarchy
20
Projets

• MAGNET Beyond
• ESTER (Alcatel, Trusted Logic)
• IEEE 802.15 BAN