Integrating Security and Privacy Protection Into a Mobility-Centric Internet Architecture
Total Page:16
File Type:pdf, Size:1020Kb
INTEGRATING SECURITY AND PRIVACY PROTECTION INTO A MOBILITY-CENTRIC INTERNET ARCHITECTURE by XIRUO LIU A dissertation submitted to the Graduate School—New Brunswick Rutgers, The State University of New Jersey In partial fulfillment of the requirements For the degree of Doctor of Philosophy Graduate Program in Electrical and Computer Engineering Written under the direction of Wade Trappe And approved by New Brunswick, New Jersey MAY, 2016 c 2016 Xiruo Liu ALL RIGHTS RESERVED ABSTRACT OF THE DISSERTATION Integrating Security and Privacy Protection into a Mobility-Centric Internet Architecture By XIRUO LIU Dissertation Director: Wade Trappe The Internet is a well-noted technological success that has significantly impacted the dissemi- nation of information and brought human society closer together than it ever had been. While many of the initial design choices associated with the Internet led to its successful rise to promi- nence, the Internet was not designed to face many of the challenges that have emerged in the modern era in which people access information while on the move from anywhere, at any time. Notably, one of the primary hurdles challenging the continued success of the Internet is the security of the communications crossing the Internet. In order to address the challenges facing the evolution of the Internet, several clean-slate future Internet architectures have been proposed, each attempting to address certain aspects in which the Internet needs to evolve, and each with varying advantages. Across all of these dif- ferent architectures, there remains a need to examine and address fundamental aspects related to ensuring the security of these architectures. This thesis examines several of the key security challenges facing several of the emerging future Internet designs, and specifically explores as- pects related to securing the MobilityFirst future Internet design. In particular, one of the core contributions of this thesis is a thorough exploration of aspects related to securing new naming services intended to support more dynamic associations between users, their names and their ii network addresses. This thesis provides a thorough exploration of the protocol-level security challenges facing the administration of new name resolution services that separate names from network addresses, and further examines the possibility of using such a name resolution ser- vice as a mechanism to apply access control in the future Internet. A further contribution of this thesis is the exploration of security services for mobile ad hoc networks and the Internet of Things, which represent two important and emerging network modalities that will become part of the future Internet. iii Acknowledgements How Time flies! As I near the end of my studies, I have the illusion that this is still the first year of my PhD studies. Now, though, at the end of the PhD journey, everything over the past six years seems so clear in my mind, and I am extremely grateful for all of the support and help I have received in this journey. First and foremost, I would like to express my deepest gratitude to my advisor Prof. Wade Trappe for his continuing guidance and absolute support over my five years of research at WINLAB. He is not just the advisor of my research, he is also a great friend who has shared his experience and advice, and given me suggestions on matters outside of school (e.g. how to raise a child). He inspired and encouraged me through those hard times. Also, I am grateful to Prof. Yanyong Zhang, who has given me a lot of valuable advice on both graduate studies and career development over the past few years. I want to thank all of my colleagues here at Wireless Information Network Laboratory (WINLAB). WINLAB is a big family and has a lot of excellent faculty members, staffs and students. I am fortunate to be surrounded by these wonderful people. We have enjoyed our work, as well as many rich and colourful life experiences, together over the past years. This will become my most cherished memory from graduate school, which I will cherish for the rest of my life. Outside of Rutgers University, I would like to extend my gratitude to my mentor Meiyuan Zhao and collaborators Jianqing Zhang, Jesse Walker at Intel Labs. My summer internship at Intel Labs was one of the best research experiences that I had during graduate school. I benefited a lot from the collaboration, and from them I gained a clear idea about what my future career will be. Last but not least, I would like to thank my family. My parents Zhibing Liu and Lin Zhang supported me completely, no matter what happened and no matter what decision I made. The iv encouragement and the logistics from them made this thesis possible. My lovely daughter Annie Liu Yuan joined our family in the middle of my PhD journey. She is the apple of my eye and the driving force that propels me. Also, my husband Huawei Yuan has accompanied me through this long journey, and has provided me both patience and encouragement. In summary, I would like to give sincere thanks to all of those fantastic people that I have met, and thank them for their support, help, encouragement and companionship. v Dedication To my parents Zhibing Liu and Lin Zhang for their endless love and continuous support. Also to my daughter Annie Liu Yuan and my husband Huawei Yuan for both the joy and troubles they brought. vi Table of Contents Abstract ::::::::::::::::::::::::::::::::::::::::: ii Acknowledgements ::::::::::::::::::::::::::::::::::: iv Dedication :::::::::::::::::::::::::::::::::::::::: vi List of Tables :::::::::::::::::::::::::::::::::::::: xi List of Figures :::::::::::::::::::::::::::::::::::::: xii 1. Introduction ::::::::::::::::::::::::::::::::::::: 1 1.1. Motivation . 1 1.2. MobilityFirst: A Mobility-Centric Architecture for the Future Internet . 3 1.3. Problem Statement . 6 1.4. Thesis Organization . 7 2. GNRS security ::::::::::::::::::::::::::::::::::: 10 2.1. Overview . 10 2.2. Background . 10 2.3. Two-tier Name Resolution . 12 2.4. GNRS Security Concerns . 15 2.5. Secure GNRS Protocol . 19 2.5.1. Securing GNRS Update . 19 2.5.2. Securing GNRS Query . 22 2.5.3. Securing IP Hole Protocol . 23 Orphan Mapping Insert . 24 Mapping Migration . 25 2.6. Conclusion . 27 vii 3. GNRS access control :::::::::::::::::::::::::::::::: 28 3.1. Overview . 28 3.2. Background . 28 3.3. Access Control at the Name Resolution Service . 31 3.4. Spatio-temporal Access Control via GNRS Regulation . 33 3.4.1. General STAC . 33 3.4.2. STAC with State Transitions . 35 3.4.3. Token Format . 37 3.4.4. Token Usage Discussion . 38 3.5. Conclusion . 42 4. Overlay Tunneling as a Policy Tool ::::::::::::::::::::::::: 44 4.1. Introduction . 44 4.2. Related Work . 47 4.3. Overview of Our Tunneling Scheme . 48 4.3.1. Tunneling Methology . 48 4.3.2. Network Anomaly Detection . 50 4.3.3. Re-evaluation Technique . 52 4.3.4. Trust Assessment . 53 4.4. Tunnel algorithm . 56 4.5. Simulation results and analysis . 58 4.5.1. Simulation and attack setup . 58 4.5.2. Static scenario . 60 4.5.3. Mobile scenario . 63 4.5.4. Analysis . 65 4.6. Conclusion . 67 5. MobilityFirst-based Internet of Things :::::::::::::::::::::: 68 5.1. Introduction . 68 5.2. Survey of the Evolution of IoT Architectures . 69 viii 5.3. General Security Analysis of IoT Systems . 71 5.4. MobilityFirst-based IoT Architecture . 73 5.4.1. IoT Architecture Design based on MobilityFirst Infrastructure . 73 5.4.2. Protect IoT through Existing MobilityFirst Network Services . 75 5.5. IoT Middleware Security . 79 5.5.1. Overview of the Name Resolution Framework in MobilityFirst-based IoT 80 5.5.2. Major Functionalities of IoT Name Resolution Service . 81 5.6. Delegation-based Key Provisioning Protocol . 83 5.6.1. Overview . 83 Problem Description . 84 5.6.2. System Model . 85 5.6.3. Security Requirements . 87 5.6.4. Adversarial Model . 88 5.6.5. Protocol Design Choices and Considerations . 89 Investigation of Three Party Key Exchange Protocols . 89 SIGMA Protocol . 91 5.6.6. Protocol Specifications . 91 5.6.7. Discussions and Security Analysis . 98 Protocol Security Analysis . 99 Lightweight Approach . 101 5.6.8. Proof of Concept . 102 Modularized Prototype Framework . 102 Implementation Choices and Considerations . 104 Demo of the Prototype . 107 5.6.9. Use Cases . 109 5.7. Conclusion . 110 6. Conclusion ::::::::::::::::::::::::::::::::::::: 111 6.1. Summary of Thesis Contributions . 111 ix 6.2. Future Work . 113 6.2.1. Integrating Security Measures into the GNRS Prototype . 113 6.2.2. Name Certificate & Resolution Service . 113 6.2.3. Securing MobilityFirst Routing Protocols . 115 References :::::::::::::::::::::::::::::::::::::::: 117 Appendix A. Acknowledgment of Previous Publications ::::::::::::::: 126 Appendix B. Refereed Publications as a Ph.D. Candidate ::::::::::::::: 127 Appendix C. Funding Acknowledgement ::::::::::::::::::::::: 128 x List of Tables 5.1. Protocol Notations . 97 5.2. Cryptograhpy Algorithm Choices . 106 5.3. Cryptograhpic Parameter Settings . 107 xi List of Figures 1.1. Major architecture features of the MobilityFirst network. 4 1.2. The protocol stack of the MobilityFirst architecture. 5 2.1. Overview of the two-tier name resolution involved in MobilityFirst. 12 2.2. The MobilityFirst approach to name resolution involves the Name Certificate & Resolution Service (NCRS) and the Global Name Resolution Service (GNRS). The NCRS serves the role of a certificate registration service that associates human-readable names to GUIDs, while the GNRS translates GUIDs into net- work addresses . 14 2.3. GNRS Update Scheme. 17 2.4. GNRS Query Scheme. 18 2.5. GNRS Update Protocol. 22 2.6. GNRS Query Protocol. 23 2.7. Orphan Mapping Insert. 25 2.8. Mapping Migration. ..