In describing tools for internet security, this title focuses on understanding the system architecture of existing security and on developing architectural changes for new security services. Topics include security threats in wireless networks, security services for countering those threats, and the process of defining functional architecture for network systems. Kempf also discusses examples of wireless Internet security systems such as wireless network access control, local IP subnet configuration and address resolution, and location privacy. Each chapter describes the basic network architecture and protocols for the system under consideration, security threats, functional architecture, and the important internet protocols that implement the architecture. This is an ideal resource for graduate students of electrical engineering and computer science, as well as for engineers and system architects in the wireless network industry.
Author(s): James Kempf
Edition: 1
Publisher: Cambridge University Press
Year: 2008
Language: English
Pages: 224
Tags: Библиотека;Компьютерная литература;Компьютерные сети;
Cover......Page 1
Half-title......Page 3
Title......Page 5
Copyright......Page 6
Contents......Page 7
Preface......Page 9
Acknowledgements......Page 12
1 Security basics......Page 13
1.1.1 How to conduct a threat analysis......Page 14
1.2.1 Replay threat......Page 17
1.2.4 Denial-of-service threat......Page 18
Address spoofing......Page 19
1.3.1 Data origin authentication......Page 20
1.3.2 Confidentiality protection......Page 21
1.4.1 Key management......Page 22
Key management for shared keys......Page 23
Key management for public keys......Page 24
Principles of secure key management protocols......Page 25
Public key certificates......Page 27
Authentication, authorization, and accounting......Page 28
1.5 Summary......Page 31
2.1 The role of architecture in system standardization......Page 33
2.2 The functional architecture approach......Page 35
2.3.2 Required system functions......Page 38
2.3.4 Selection of interface types......Page 39
2.4 Functional architecture for network security systems......Page 40
2.5.1 Identify the threats......Page 42
2.5.2 Select security services to mitigate the threats......Page 43
2.5.4 Develop functions around services and supporting systems......Page 44
2.5.5 Define network entities and interfaces......Page 45
2.6 Summary......Page 46
3 Cryptographic algorithms and security primitives......Page 47
3.1 Replay protection algorithms......Page 48
3.2.1 Important properties of cryptographic hash functions......Page 49
3.2.2 Attack example......Page 51
3.2.3 Example cryptographic hash function: SHA-1......Page 52
3.2.4 Example keyed cryptographic hash function: HMAC......Page 53
3.3 Shared key encryption......Page 54
3.3.2 Block ciphers......Page 55
3.3.3 Attack characterization......Page 56
3.3.4 Example shared key block cipher: Advanced Encryption Standard (AES)......Page 57
3.3.5 AES algorithm outline......Page 58
3.4 Public key algorithms......Page 60
3.4.1 Data origin authentication......Page 61
3.4.3 Example public key algorithm: RSA......Page 62
3.5 Key provisioning......Page 63
3.5.1 Public key infrastructure (PKI)......Page 64
3.5.2 Diffie–Hellman key exchange......Page 66
3.6 Summary......Page 67
4 Wireless IP network access control......Page 69
4.1 Wireless network access usage models......Page 70
4.2 Threats to wireless network access......Page 71
4.3.1 Functional architecture and interfaces......Page 72
Authenticator Communication and Security function......Page 74
Key Provisioning and/or Exchange function......Page 76
Account Authority Routing and Communication function......Page 77
Supplicant Communication and Security function......Page 79
4.3.5 Additional design requirements......Page 81
The cryptoboundary concept......Page 82
4.3.6 Taxonomy of deployed systems......Page 83
4.4 Subscription-based design......Page 84
4.4.1 802.1x/EAPoL......Page 88
4.4.2 EAP......Page 90
4.4.3 Radius......Page 96
4.5 Hotspot design......Page 97
4.5.1 The TLS protocol......Page 100
ServerHello......Page 101
ServerCertificate......Page 102
4.6 Summary......Page 103
5.1 Impact of the IP routing and addressing architecture on mobility......Page 105
5.2.1 Address Resolution Protocol......Page 108
5.2.2 Dynamic Host Configuration Protocol......Page 109
Router discovery......Page 111
Address autoconfiguration and duplicate address detection......Page 112
5.2.5 Network interfaces in local IP subnet configuration and address resolution......Page 114
5.3 Threats to local IP subnet configuration and address resolution......Page 115
5.3.1 Threats against address resolution and autoconfiguration......Page 116
5.3.3 Replay and remote attacks......Page 117
5.4 Functional architecture for local IP subnet configuration and address resolution security......Page 118
5.4.1 Functional architecture and interfaces......Page 119
Local Subnet Configuration Server Message Authentication function......Page 120
Address Information and Operation Verification function......Page 122
5.4.4 Local Subnet Configuration Server functions......Page 123
Basic IP Node Credential Exchange Reply function......Page 124
5.5.1 Security for address resolution and router discovery in IPv4......Page 125
Cryptographically Generated Addresses......Page 127
SEND protocol......Page 133
5.6 Security protocols for Local Subnet Configuration Server access......Page 137
5.6.1 DHCP Authentication option......Page 138
5.7 Summary......Page 140
6 Security for global IP mobility......Page 142
6.1.1 Mobile IP architectural overview......Page 143
6.1.2 Mobile IP interfaces and protocols......Page 145
6.2.1 Threats to the binding management and remote home subnet configuration interfaces......Page 147
6.2.2 Threats to the route optimization interface......Page 149
6.3 Functional architecture for Mobile IP security......Page 150
6.3.1 Functional architecture and interfaces......Page 151
Home Agent Security Association Establishment function......Page 152
Mobile Node Security Association Establishment function......Page 154
Mobile Node Signaling Security function......Page 155
6.3.4 Correspondent Node functions......Page 156
6.3.5 Taxonomy of deployed systems......Page 157
6.4 The IP Security (IPsec) protocol......Page 159
6.4.1 The IPsec architecture......Page 160
Security Association Database......Page 162
6.4.2 IKE......Page 163
IKEv2 Protocol......Page 164
EAP for IKE_AUTH......Page 167
6.4.3 IPsec Encapsulating Security Payload......Page 168
6.4.4 How Mobile IPv6 uses IKE and IPsec......Page 170
6.5 Return routability......Page 174
6.6 The limits of security architectures: the example of Mobile IP......Page 178
6.7 Summary......Page 179
7 Location privacy......Page 181
7.1 Threats against privacy and location privacy......Page 182
7.2.1 Changing the IP Address......Page 184
7.2.2 Privacy addresses......Page 185
7.2.4 Onion routing......Page 186
7.3.1 Location privacy and Mobile IP......Page 188
7.3.2 Problems with home agent tunneling for location privacy in Mobile IP......Page 189
7.3.3 Location privacy and access network link layer identifiers......Page 190
7.3.4 Protocol solutions to location privacy in Mobile IPv6......Page 192
7.4 An architectural approach to location privacy......Page 193
7.4.1 The Cryptographically Protected Prefix (CPP) algorithm......Page 194
7.4.2 Key and address provisioning for CPP......Page 199
7.4.3 Residual vulnerabilities in CPP......Page 200
7.4.4 Functional architecture for CPP......Page 201
7.4.5 CPP Key Distribution and Masked Address Prefix Server functions......Page 202
Level Key and Masked Address Block Distribution Message Formulation function......Page 203
Level Key and Masked Address Block Distribution Processing function......Page 204
Confidentiality and Authenticity for Masked Address Configuration function......Page 206
7.4.8 CPP Access Router functions......Page 207
7.4.9 Next steps in system design......Page 208
7.5 Summary......Page 209
References......Page 211
Index......Page 214
