Download
1 / 11
110 likes | 238 Vues
This paper presents the integration of enhanced security features into the Delay-Tolerant Networking (DTN) Bundle Protocol, specifically through DTN2. It covers the implementation of the Bundle Authentication Header (BAH), Payload Security Header (PSH), and Confidentiality Header (CH) to ensure authenticity and confidentiality of data during transmission. By using cryptographic techniques and security-aware node configurations, the framework allows for optional security features that can be tailored to specific needs. This contributes to stronger and more secure communication in challenging networking environments.
E N D
The Integration of the Bundle Security Protocol Features into DTN2 Walter J. Scheirer and Prof. Mooi Choo Chuah Department of Computer Science and Engineering Lehigh University
References: • Bundle Security Protocol Specification • draft-irtf-dtnrg-bundle-security-00, June 8, 2005 • Bundle Protocol Specification • draft-irtf-dtnrg-bundle-spec-03.txt, July 2005 * • draft-irtf-dtnrg-bundle-spec-02.txt, Sept. 2004 • DTN2 • Sept. 6, 2005 CVS revision • Current
Major Features • Bundle Authentication Header (BAH) • Payload Security Header (PSH) • Confidentiality Header (CH) • Bundle Fragmentation/Reassembly
Summary of Technical Approach • Bundle Authentication Header (BAH) • The BAH is used to assure the authenticity of the bundle along a single hop from sender to recipient • Payload Security Header (PSH) • The PSH is used to assure the authenticity of the bundle from the PSH security source, which creates the PSH, to the PSH security destination, which verifies the PSH authenticator • Confidentiality Header (CH) • The CH is used to indicate that the bundle payload has been encrypted while en route between the CH source and the CH security destination
Summary of Technical Approach • Each node will turn on the optional security-related delivery option parameters if it desires certain security features - • if it desires confidentiality, then a CH header must be applied to the bundle • if it desires authentication, a PSH and/or a BAH must be applied and the relevant parts of the bundle digitally signed or MACed appropriately
Primary Bundle Header All other Headers BAH (w/ signed Hash value PSH (w/ signed Hash value) Confid. Header Payload Class Len. Payload AE78F98D567BB32CAD5F4D BAH Primary Bundle Header Fragment Header (offset=0) All other Headers Next Hdr Len. Format flag Toilet Paper Ciphersuite ID Payload Segment Size Payload Hash Size Key ID (optional) 0 PSH (w/ signed Hash value) Confid. Header Payload Class Len. Payload AE78F98D Authent. of Hdr & payload segment PSH, confidentiality header and payload class field deleted from successive fragments BAH Primary Bundle Header Fragment Header (offset=9) All other Headers Next Hdr Len. Format flag Toilet Paper Ciphersuite ID Payload Segment Size Payload Hash Size Key ID (optional) 0 Len. 567BB32 Authent. of Hdr & payload segment CAD5F4D Authent. of Hdr & payload segment Bundle with security headers Challenges faced in fragmentation scenario:
Implementation Details • Ciphersuites • Have been implemented using the OpenSSL (v. 0.9.7a, Fedora Core 2) library • Significant code addition to servlib/bundling/BundleProtocol.cc • BAH • EntireBundleHMAC, HeadofBundleHMAC, HeadOfBundleSig, EntireBundleSig, EntireBundleMAC
Implementation Details • PSH • EntireBundleHMAC • CH • Payload Encryption - Blowfish • Support different combinations of Headers • BAH, PSH, CH; BAH and PSH; BAH and CH
Implementation Details • Security Headers Sending Receiving populate header fields parse header fields apply ciphersuite apply ciphersuite append to bundle verify integrity
Implementation Details • Protocol Stack TCP Convergence Layer Bundle Transmitted BundleProtocol.cc / format_headers() BundleProtocol.cc / parse_headers() build CH check BAH build PSH check PSH build BAH check CH TCP Convergence Layer Bundle Received
