Professional Documents
Culture Documents
CSC461 CN Lecture 15 Feb. 13 2013
CSC461 CN Lecture 15 Feb. 13 2013
E-mail: rahul@pilani.bits-pilani.ac.in
Interaction Points
Significance of the Application-Driven Approach to Design Computer Networks Need for Specialized Protocols for Applications / Classes of Applications / Services Select Application-Layer Services & Protocols
Summary
First, a quick recap of Protocols and Protocol Graphs and a little additional information!
Starters, before we begin the main course!
TCP
UDP
IP
TCP
UDP
IP
Protocol
Representa@on
There exist numerous schemes of representation of a given Protocol. One common way to specify a Protocol is to represent it as a State Transition Diagram.
Protocol
Valida@on
A Protocol needs to be proven correct before it is implemented. There exist quite a few ways of formal and semi-formal verification of Protocols. One common technique is to first represent a protocol a State Transition Diagram and then examine it for its:
completeness, Reachability, points of weakness etc.
System
Model
An
abstract
computer
model:
state
machine.
A
network
or
a
distributed
system
model
comprises
of
a
set
of
n
state
machines
called
processors
that
communicate
with
each
other,
which
can
be
represented
as
a
graph.
Message
passing
communica@on
model:
queue(s)
Qij,
for
messages
from
Pi
to
Pj
System
congura@on
is
set
of
states,
and
message
queues.
In
any
case
it
is
assumed
that
the
topology
remains
connected,
i.e.,
there
exists
a
path
between
any
two
nodes.
Deni@on
States
sa@sfying
P
are
called
legi@mate
states
and
those
not
sa@sfying
P
are
called
illegi@mate
states.
A
system
S
is
self-stabilizing
with
respect
to
predicate
P
if
it
sa@ses
the
proper@es
of
closure
and
convergence
There must be at least one privilege in the system (liveness or no deadlock). Every move from a legal state must again put the system into a legal state (closure). During an innite execu@on, each machine should enjoy a privilege an innite number of @mes (no starva@on). Given any two legal states, there is a series of moves that change one legal state to the other (reachability).
Dijkstra considered a legi1mate (or legal) state as one in which exactly one machine enjoys the privilege.
s1
1
d
a c b
s2
1
d/s1
a/s2 c/s3
2
b/s2
3
s3
Example
of
FSM
Model
for
Protocol
Verica@on
(Stop
and
Wait
Protocol)
The
transmiYer
sends
a
frame
and
stops
wai@ng
for
an
acknowledgement
from
the
receiver
(ACK)
Once
the
receiver
correctly
receives
the
expected
packet,
it
sends
an
acknowledgement
to
let
the
transmiYer
send
the
next
frame.
When
the
transmiYer
does
not
receive
an
ACK
within
a
specied
period
of
@me
(@mer)
then
it
retransmits
the
packet.
TransmiYer
Frame
0
Receiver
Timer
ACK
0
Frame
1
Timer
ACK
1
Frame
0
ACK 0
Wait
Ack
1
Timeout
or
Ack
0
Received
Pkt
1
transmiYed
Wait Ack 0
Ack 0 Received
Send Pkt 1
Wait
Pkt
0
Pkt
1
Received
Send
Ack
1
Pkt
1
received
Send
Ack
1
Wait Pkt 1
Communica@on
protocols
Communica@on
protocol
might
be
aected
due
to:
Ini@aliza@on
to
an
illegal
state.
A
change
in
the
mode
of
opera@on.
Not
all
processes
get
the
request
for
the
change
at
the
same
@me,
so
an
illegal
global
state
may
occur.
Transmission
errors
because
of
message
loss
or
corrup@on.
Process
failure
and
recovery.
A
local
memory
crash
which
changes
the
local
state
of
a
process.
Exercise
Write
a
simula@on
program
that
imitates
the
behavior
of
the
network
shown
below.
The
inputs
to
your
program
are
the
capaci@es
of
each
buer
as
well
as
the
clock
structure
(three
vectors
with
the
life@mes
of
each
event)
The
output
from
your
program
is
the
sample
path
of
the
network
i.e.,
the
state
trajectory
and/or
a
trace
consis@ng
of
a
sequence
of
events
and
its
corresponding
@me.
B1
a d1
B2
d2
Bandwidth:
Width of the usable / allotted Frequency band Rate of data transfer in bits per second
Throughput: Actual measured rate of achievable data transfer in bits per second Bandwidth has often a value greater than that of the Throughput
Round-Trip Time (RTT) Latency: Delays of various kinds Delay x Bandwidth metric Quality of Service
17
Performance
Ma-ers
With
signicant
input
from
:
Professor
Bob
Kinicki,
Computer
Science
Department,
WPI,
USA
15/02/13 Dr. Rahul Banerjee, Department of Computer Science, BITS-Pilani, INDIA 18
Interac@on
Points
Computer
Network
Performance
Metrics
Performance
Evalua@on
Techniques
Workload
Characteriza@on
Simula@on
Models
Analy@c
Models
15/02/13
Performance
Evalua@on
Performance evaluation is the application of the scientific method to the study of computer systems. Viewed as distinct from computer system design, the goal of performance evaluation is to determine the effectiveness and fairness of a computer system that is assumed to work correctly. Performance evaluation techniques have been developed to accurately measure the effectiveness with which computer system resources are managed while striving to provide service that is fair to all customer classes.
Performance Evaluation of Computer Networks 20
2
Host B Host C
3 16 17 15
1 routers 11 12 10 9 13 7 8 14
4 5
Host J
Host D
Host E
Host G
Host H
Host F
22
Clients
AP
23
responsiveness delay round trip time queue size utilization losses channel utilization packet loss rate frame retries
buffer problems AP queue overflow packet drops playout buffer underflow rebuffer events
Performance Evaluation of Computer Networks
24
2
Host B Host C
3 16 17 15
1 nodes 11 12 10 9 13 7 8 14
4 5
Host J
Host D
Host E
Host G
Host H
Host F
25
26
Client
AP
27
Outline
Performance Evaluation Computer Network Performance Metrics Performance Evaluation Techniques
Workload Characterization Simulation Models Analytic Models
29
Multimedia Streaming
Video clip downloads (UDP and/or TCP) Audio VOIP (Voice Over IP)
Peer-to-Peer Exchanges
Concurrent downloads and uploads
Client
AP
31
" The primary focus of this presentation is on the design and techniques used in experiments to measure real computer networks.
32
Conceptual
Models
Researchers utilize knowledge about the interactions of network components to understand and explain the workings of a computer network via a conceptual model. Models are partitioned into simulation models or analytic models. Both model types rely on simplifying assumptions that that enable the model to capture important characteristics of networks (usually in terms of networks of queues).
Performance Evaluation of Computer Networks 33
Arrivals
Queue
Server
34
35
Simula@on
Models
Simulation attempts to reproduce the behavior of the network in the time domain. Event-driven simulation defines a network in terms of states and transitions where events trigger transitions. Simulation is essentially a numeric solution that utilizes systems of equations and data structures to capture the behavior of the simulated network in terms of logical conditions.
36
Simula@on
Models
The three types of simulators are:
Trace-driven Program-driven Distribution-driven
The choice of the duration of a simulation run is subject to the same issues of estimating variance and variance reduction as found in the design of empirical measurements.
Performance Evaluation of Computer Networks 37
Analy@c
Models
Similar to simulation models, analytic models involve systems of equations. Analytic models of computer networks usually start with a network of queues model and develop a system of equations that may or may yield a closed form solution. Analytic models of computer networks tend to be stochastic models built on the theory of stochastic processes associated with independent random variables.
Performance Evaluation of Computer Networks 38
Outline
Performance Evaluation Computer Network Performance Metrics Performance Evaluation Techniques
Workload Characterization Simulation Models Analytic Models
"
Network measurements can be either active or passive. Active measurement involves purposely adding traffic to the network workload specifically to facilitate the measurement (e.g., sending packet pair probes into the network to estimate the available bandwidth along a flow path). An example of a passive measurement tool is a network sniffer running in promiscuous mode to collect information about all packets traversing a network channel.
40
What
to
Measure?
The overall objective of the computer network measurement study guides the choice of performance indices to be measured. Metrics are either direct or indirect indices. Indirect indices require some type of data reduction process to determine metric values. Due to the large data volume associated with network traffic, measurement of computer networks often involves filtering of data or events (e.g., It is common for network measurement tools to only retain packet headers for off-line
Performance Evaluation of Computer Networks 41
43
Clients
AP
44
45
46
47
Throughput (Mbps)
Time (sec)
48
RSSI (dB)
Time (sec)
49
How to control, minimize and/or understand physical phenomenon or other interference sources that can produce discrepancies and variability in the measurement results?
Performance Evaluation of Computer Networks 50
Throughput (Mbps)
Time (sec)
51
RSSI (dB)
Time (sec)
52
53
Time (sec)
54
55
Coming
AYrac@ons
Professor Claypool will discuss: The Scientific Method applied to Computer Science Statistical Techniques used in Experimental Measurement Design
56
15/02/13
57
Repeaters / Repeater Hubs / Shared Hubs: where usually Physical layer / level exist with L1-protocol data unit (raw bits) regeneration and onward transmission Managed Hubs / Layer-2 Switching Hubs: where Physical and Data Link layers / levels exist with ability to handle and deliver Layer-2protocol data unit (frame) Bridges: where Physical and Data Link layers / levels exist with L2-protocol data unit (frame) processing and forwarding Switches: where Physical and Data Link and / or Network (sometimes even higher) layers / levels exist with Layer-2 and / or Layer-3(c) Dr. Rahul Banerjee, BITS, Pilani, India 58
or visit:
Home: http://www.bits-pilani.ac.in/~rahul/
References
Larry L. Peterson & Bruce S. Davie: Computer Networks: A Systems Approach, Fourth Edition, Morgan Kaufmann / Elsevier, New Delhi, 2007. <System design approach> IEEE 802 standards issued so far PLUS amendments like:
802.3ap-2007: IEEE Standard for LAN/MAN Specific Requirements Part 3: CSMA/CD Access Method and Physical Layer Specifications Amendment 4: Ethernet Operation over Electrical Backplanes 802.11-2007 IEEE Standard for LAN/MAN Specific Requirements Part 11: Wireless LAN Medium Access Control (MAC)and Physical Layer (PHY) Specifications 802.15.4a-2007 IEEE Standard for Telecommunications and Information Exchange Between Systems; PART 15.4: Wireless MAC and PHY Specifications for Low-Rate Wireless PANs (LR-WPANs) Amendment 1: Add Alternate PHY 802.1ag-2007 IEEE Standard for LAN/MAN Virtual Bridged LANs Amendment 5: Connectivity Fault Management
References
A. S. Tanenbaum: Computer Networks, Fourth Edition, Pearson Education, New Delhi, 2003. <Conceptual Approach> Mohammed G. Gouda: Elements of Network Protocol Design, Wiley Student Edition, John Wiley & Sons (Pte.) Ltd., Singapore, 2004. Thomas G. Robertazzi: Computer Networks and Systems: Queuing Theory and Performance Evaluation, Third Edition, Springer-Verlag, New York, 2000. <Analytical approach> S. Keshav: Computer Networking: An Engineering Approach, Pearson Education, New Delhi, 1997. A. Leon Garcia and I. Widjaja: Communication Networks: Fundamental Concepts and Key Architectures, Second Edition, Tata McGraw-Hill, New Delhi, 2004. Baldwin, D.: Discovery Learning in Computer Science. In Proceedings of the Twenty-seventh SIGCSE Technical Symposium on Computer Science Education, ACM, pp. 222-226,February 1996.
61
NOTE:
Some of the duly marked slides have been prepared with respective input from BITS, UIUC, ETH-Zurich, MSR, UoW, CMU, IETF, ITU, Sun, W3C, KU, CU, LU, IEEE PC as duly permitted for academic and research use.
Use of copyrighted material from these and other sources in the following slides is meant for pure academic reference herein is thankfully acknowledged. <Not meant for re-distribution!>
Note: Put applica@on in a package. Create a jar le from the package and put the package in <tomcat_home>/lib, so that it will be in Tomcat's classpath
Deployment
Descriptor
<isd:service xmlns:isd="http://xml.apache.org/xml-soap/deployment" id="urn:helloApp"> <isd:provider type="java" scope="application" methods="sayHelloTo"> <isd:java class="hello.HelloServer"/> </isd:provider> The
scope
of
the
Object
used
to
fulll
<isd:faultListener> the
SOAP
Request.
org.apache.soap.server.DOMFaultListener Applica1on
means
that
all
SOAP
</isd:faultListener> requests
will
be
sent
</isd:service> to
the
same
object.
Deployment
Descriptor
<isd:service xmlns:isd="http://xml.apache.org/xml-soap/deployment" id="urn:helloApp"> <isd:provider type="java" scope="application" methods="sayHelloTo"> <isd:java class="hello.HelloServer"/> </isd:provider> <isd:faultListener> org.apache.soap.server.DOMFaultListener </isd:faultListener> </isd:service>
application: The same service instance is used to serve all invocations Which of these scope values require us to think about synchronizing access to data members and methods?
You can get a list of all deployed web services using the command
java org.apache.soap.server.ServiceManagerClient http:// <host>:<port>/soap/servlet/rpcrouter list
Undeploying
a
Service
You can undeploy a web service, so that it is no longer recognized by the SOAP Processor using the command
java org.apache.soap.server.ServiceManagerClient http:// <host>:<port>/soap/servlet/rpcrouter undeploy urn:helloApp
Note that the last argument is the URI of the web service to be removed
Note
on
Parameters
It must be possible to "serialize" the parameters that the method invoked receives and returns. The following have default serialization/ deserialization:
primitive types: int, long, double, etc. primitive Objects: Integer, Long, Double, String, etc. complex Objects: Vector, Enumeration, Hashtable, arrays easy to use JavaBeans
UPnP
Services
Description is stored as XML file Control via SOAP messages: SOAP developed for web service Most every language/platform has SOAP/XML libraries Event notification with XML in General Event Notification Architecture Presentation URL can be supplied by device
The
OSGi
OSGi is open, standards-based, languageneutral and OS-neutral Consists of framework in which bundles of services that register with a registry can run Runs atop the Java 2 Runtime Environment (J2RE)
Basic Authentication: It may be provided as an extension to the HTTP 1.1 (HHTP: RFC 2616, Extn.: RFC 2617) Moderate Authentication: Digest Access Authentication using Challenge-Response technique Advanced Authentication: There are two choices, depending upon the requirements: Kerberos-based Authentication (K-5: RFC 1510) Public-Key Cryptography-based Authentication (SSL: RFC 2246, TLS: RFC 2818)
BASIC AUTHENTICATION
Client may use it to authenticate itself to either the Origin Server or an intermediate Proxy Server. In this basic scheme, if an unauthorized access attempt is made by a client, server / proxy sends it back an Error Code: 401 / 407: Unauthorized Access Error However, server / proxy may ask / challenge the requesting client to supply / respond to one or more pieces of information and if the client sends the correct piece (s) in its
BASIC AUTHENTICATION
In this scheme, users ID and his/her password are transmitted using base64-ended plaintext. This clearly is as insecure as the default Telnet authentication scheme. Moderate and Advanced schemes of authorization attempt to tackle this issue by offering cryptographic measures.
Client-side Issues,
Middleware-specific Issues
Server-side Issues
Interac@on
Points
Brief introduction to Network and internetwork Security Principles Various forms and mechanisms of security Influence of Network Security on Pervasive Computing Systems Discussion
Internetwork Security
A network of two or more networks is called an Internetwork Participating networks in an Internetwork may be interconnected for restricted or unrestricted resource sharing
Security is often viewed as the need to protect one or more aspects of networks operation and permitted use (access, behaviour, performance, privacy and confidentiality included), Security requirements may be Local or Global in their scope, (c) Rahul Banerjee, BITS, depending upon the network s or internetworks purpose of 99 Pilani (India) design and deployment.
Passive attacks involve simply getting access to link or device and consequently data. (c)
Rahul
Banerjee,
BITS,
Pilani
(India)
103
Devices involved:
Links
involved:
(c)
Rahul
Banerjee,
BITS,
Pilani
(India)
Non-monitoring approaches
Cryptography can exist with or without networks but Internetwork / Network Cryptography specifically addresses the Internetwork / Network needs / requirements and is thus a subset of general cryptography.
(c)
Rahul
Banerjee,
BITS,
Pilani
(India)
107
Symmetric-Key
Cryptography
Symmetric-Key cryptography is called so since in this class of cryptographic algorithms, encryption as well as decryption processes are performed using the same (i.e. symmetric) key. The algorithms / schemes / programs that use this paradigm are often termed as Symmetric-Key Ciphers / Private-Key Ciphers / Secret-Key Ciphers / Conventional Ciphers etc. Rahul
B anerjee,
BITS,
(c)
In such cases, Plaintext, EncryptionPilani
(India)
108
Kerckhoffs Principle: Security of conventional encryption depends only upon the Secrecy of the Key, and not on the Secrecy of the Algorithm. Strength of the algorithm and the size of (c)
Rahul
Banerjee,
BITS,
key remain two important factors in Pilani
(India)
110
Kerckhoffs Principle remains a guiding line for the research on conventional cryptography and its real-life use in internetworks.
(c)
Rahul
Banerjee,
BITS,
Pilani
(India)
111
Uncondi@onally
Secure
Versus
Computa@onally
Secure
Encryp@on
Schemes
Unconditionally Secure Encryption schemes:
Here, the generated Ciphertext simply does not have adequate information to allow discovery of the unique plaintext irrespective of the amount of Ciphertext available (as well as irrespective of the computational resource available) to the attacker.
Digital
Signatures
A Digitally-signed Communication is a message that has been processed by a computer in such a manner that ties the message to the individual that signed the message. Criteria for Digital Signatures Technology:
An acceptable technology must be capable of creating signatures that conform to requirements: It is unique to the person using it; It is capable of verification; It is under the sole control of the person (c)
Rahul
Banerjee,
BITS,
113 Pilani
(India)
using it;
Signature
Dynamics
The
Signature
Dynamics
Technology:
It
is
an
acceptable
technology
for
use
by
public
en@@es
that
uses
as
the
means
the
metrics
of
the
shapes,
speeds
and/or
other
dis1nguishing
features
of
a
signature
as
the
person
writes
it
by
hand.
It
involves
binding
the
measurements
to
a
message
through
the
use
of
cryptographic
techniques.
Signature
Digest
is
the
resul@ng
bit-string
produced
when
a
signature
is
@ed
to
a
document
using
Signature
Dynamics.
(c)
Rahul
Banerjee,
BITS,
Pilani
(India)
114
Digital
Cer@cates
Digital Certificate: It refers to a computer-based record which: identifies the certification authority issuing it; names or identifies its subscriber; contains the subscriber's public key; and is digitally signed by the certification authority issuing or amending it & conforms to widely-used standards.
(c)
Rahul
Banerjee,
BITS,
Pilani
(India)
115
Related
terms:
Certification Authority: This refers to an entity that issues a certificate, or in the case of certain certification processes, certifies amendments to an existing certificate. Key Pair: This refers to a private key and its corresponding public key in an asymmetric cryptosystem. The keys have the property that the public key can verify a digital signature that the private key creates.
116
Cer@cate Categories:
PGCA
Payment Gateway
119
CCA
Cardholder Certificates
Steps
involved
1. A pair of Private and Public keys is created by the Requester. 2. Requester generates and encrypts a Certificate Request using its private key and sends the certificate request to your chosen CA . 3. CA initiates and completes a process to verify the correctness of the information supplied by the Requester. 4. The certificate for the Requester (who hereafter becomes a Subscriber) is signed by a device that holds the private key of the CA. 5. The certificate is sent to the Subscriber. 6. A copy of the issued Certificate is kept in certificate repository / directory (so that using (c)
Rahul
Banerjee,
BITS,
Certificates could be retrieved). LDAP etc. 121 Pilani
(India)
Cer@cate
revoca@on
Certificate revocation: Canceling a certificate before than its originally scheduled validity period. Certificate Revocation Lists (CRL) A CRL is a time-stamped list of revoked certificates Online Certificate Status Protocol is used for online verification.
122
DMZ is outside the Firewall Screened subnet is an isolated subnetwork connected to a dedicated firewall (c)
Rahul
B anerjee,
BITS,
interface 124
Pilani
(India)
Types of IDS:
Network-based IDS (NIDS) : Subnetresident Host-based IDS (HIDS) : Host resident
Sensor reporting may involve (c) Rahul Banerjee, BITS, forms like logs, database several 125 Pilani (India)
Internetwork
Firewall
Firewall is an internetwork security device that
serves on the only access route that connects the internal network / internetwork (i.e. the segment to be protected) to the external network (s) / internetwork (s); and, decides about physically allowing / denying entry / exit to / from the protected segment using a set of policies (often manifested in terms of rules) is called a Firewall.
A Firewall may be implemented in hardware / software / firmware or a (c) Rahul Banerjee, BITS, combination of these. 126 Pilani (India)
A common assumption (though debatable) made is that the Firewall itself is incorruptible / impenetrable A firewall works under the assumption that it is solely responsible for blockade / allowance of any traffic between two or more than two networks / internetworks separated by it.
(c)
Rahul
Banerjee,
BITS,
Pilani
(India)
127
Virus / Worm / Trojan Horse / Logic bomb detection Virus / Worm / Trojan Horse / Logic bomb removal Semantic analysis of the applicationto-application messages with certain exceptions Protecting a network / internetwork from a trusted entity (client / server / user) or an internal authorized user with adequate privileges Protecting from power, link or protocol (c) Rahul Banerjee, BITS, 129 failure Pilani (India)
Types of Firewalls:
Application-level Gateways and Proxies Transport-level / Circuit-level Gateways and Proxies Network-level Gateways / Routers Packet filters (also known as Static Packet Filtering Firewalls) Bastion Host Screened Host
Stateless Firewalls Stateful Inspection-based Firewalls Perimeter Firewalls Screened Host Firewalls Intranet Firewalls Internet Firewalls (c) R ahul Banerjee, BITS, 130 Pilani ( India) Extranet Firewalls
Advantages
of
VPNs
Capability to access remote network as if there exists a private channel to that network Several security options available to provide a range of security Adequacy of lower-strength encryption schemes on certain occasions Cost-effective if well-designed, well-implemented and wellconfigured (c)
Rahul
Banerjee,
BITS,
133 Pilani
(India)
Can be quickly implemented
Disadvantages
of
VPNs
Requirement of encryption, decryption, encapsulation and decapsulation induce a sizeable processing overhead, packet overhead and storage overheads and may introduce latency as well as increase cost of service In some cases, if designed ad-hoc, certain network installations may pose additional challenges in adding the VPN functionality due to the added overhead in packet processing. Intricate design issues, unless handled carefully, may actually serve to lower the network performance without really bring corresponding increase in the security level of the network. Implementation issues include VPN pass through issues, NAT-specific issues and MTU-size related (c)
Rahul
B anerjee,
BITS,
issues 134
Pilani
(India)
135
BTS
A-bis
MSC
BSC
OMC
Mobility mgt
VLR HLR AUC EIR
Voice Traffic
(c) http://www.cs.hut.fi/Opinnot/Tik-86.174/Bluetooth_Security.pdf
Mobile IP
Foreign Agent (FA)
charliep@nokia.com
Binding update issue: If I change FA how do I tell home agent and previous FA such that no-one else can spoof that message? And in a performant, scalable manner? MobileIPv6 has this problem (no FA though, just care-of address)
J2ME
J2ME includes some security primitives for code signing and to support (some) application security
Data origin authentication/integrity for some data and some origins Bad use of cryptography Various types of fraud
Cloning of hosts Re-direction to premium rate
GSM Security
Mobile Station SIM Ki A3 Signed response (SRES) A8 Authentication: are SRES values equal? mi Fn A5 Kc Encrypted Data Kc A5 Fn mi Radio Link Challenge RAND A3 Ki SRES GSM Operator
SRES A8
Wardriving / boating
Picking up IEEE 802.11 access points as you cycle/ drive/fly/sail past Many of these give (sometimes intentionally) open access to the Internet
http://www.catalina42.org/war-sail/
WEP is broken and IPsec should be used instead as much as possible (probably in tunnel mode)
TLS should then be used wherever sensible above IPsec (e.g. IMAP over SSL)
WEP Encapsulation
802.11 Hdr Data
Encapsulate
802.11 Hdr IV
Decapsulate
Data ICV
= RC4
allows IV to be reused with any frame integrity provided by CRC-32 of the plaintext data (the ICV) and ICV are encrypted under the per-packet encryption key
Encryption Key K
24 luxurious bits
By
the Birthday Paradox, probability Pn two packets will share same IV after n packets is P2 = 1/224 after two frames and Pn = Pn1 + (n1)(1Pn1)/ 224 for n > 2.
50%
chance of a collision exists already after only 4823 packets!!! recognition can disentangle the XOR-ed recovered plaintext. ICV can tell you when youve disentangled plaintext correctly.
Pattern
Recovered After
only a few hours of observation, you can recover all 224 key streams.
Fixing WEP
Protect against ALL known threats:
IV Collisions Weak Keys Message Forgery Replay Two alternatives: Short-term and long-term
Short-term:
Temporal Key Integrity Protocol (TKIP) Does not require new hardware (but firmware/ software) Some performance penalty
Longer term
Move to AES based primitives with proper key management
http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
WLAN topologies
Sensible network topologies
Corporate (small WLAN) Corporate (widespread WLAN) Service provider Volunteerism
Conclusions (1)
There are a range of different types of mobile network
GSM and 802.11 are the interesting ones
Conclusions (2)
Users are generally less in control of mobile networks
Bandwidth is allocated Manufacturer/Operator/Subscriber model differs from wired Internet
e.g. Closed operating systems
So, try to gain control of your applications and try to secure the applications themselves
Better if wireless technology changes anyway Can create a porting headache though
Acknowledgements
Some of these slides have been inspired by / borrowed from some well-received presentations made in different parts of the world. All inspired / reused slides either carry their respective copyright information on them or have been acknowledged about their sources in a group just after / before their respective usage herein. These slides are being used here purely for instructional purposes during a live (c)
Rahul
Banerjee,
BITS,
session Pilani
(India)
for the registered students of
165
Any ques@ons?
Thank you!
(c)
Rahul
Banerjee,
BITS,
Pilani
(India)
166
BITS-Connect 2.0 built atop the MPLS Cloud, not cloud computing!
References
Larry L. Peterson & Bruce S. Davie: Computer Networks: A Systems Approach, Fifth Edition, Morgan Kaufmann / Elsevier, New Delhi, 2011. <System design approach> S. Keshav: Computer Networking: An Engineering Approach, Pearson Education, New Delhi, 1997. A. S. Tanenbaum: Computer Networks, Fifth Edition, Pearson Education, New Delhi, 2012. <Conceptual Approach> Y. Zheng and S. Akhtar: Networks for Computer Scientists and Engineers, Oxford University Press, New York, 2002. <Structural approach> A. Leon Garcia and I. Widjaja: Communication Networks: Fundamental Concepts and Key Architectures, Second Edition, Tata McGraw-Hill, New Delhi, 2004. Mohammed G. Gouda: Elements of Network Protocol Design, Wiley Student Edition, John Wiley & Sons (Pte.) Ltd., Singapore, 2004. Thomas G. Robertazzi: Computer Networks and Systems: Queuing Theory and Performance Evaluation, Third Edition, Springer-Verlag, New York, 2000. <Analytical approach>
15/02/13
170
References
Larry L. Peterson & Bruce S. Davie: Computer Networks: A Systems Approach, Fifth Edition, Morgan Kaufmann / Elsevier, New Delhi, 2011. <System design approach> S. Keshav: Computer Networking: An Engineering Approach, Pearson Education, New Delhi, 1997. A. S. Tanenbaum: Computer Networks, Fifth Edition, Pearson Education, New Delhi, 2012. <Conceptual Approach> Y. Zheng and S. Akhtar: Networks for Computer Scientists and Engineers, Oxford University Press, New York, 2002. <Structural approach> A. Leon Garcia and I. Widjaja: Communication Networks: Fundamental Concepts and Key Architectures, Second Edition, Tata McGraw-Hill, New Delhi, 2004. Mohammed G. Gouda: Elements of Network Protocol Design, Wiley Student Edition, John Wiley & Sons (Pte.) Ltd., Singapore, 2004. Thomas G. Robertazzi: Computer Networks and Systems: Queuing Theory and Performance Evaluation, Third Edition, Springer-Verlag, New York, 2000. <Analytical approach>
15/02/13
(c) Dr. Rahul BRahul anerjee, BITS Pilani, INDIA Dr. Banerjee, BITS, Pilani (India)
171