Enhancing Survivability of Security Services using Redundancy

Presented by: Zijian Cao

Joe Ondercin

Based on a paper by Matti Hiltunen, Richard D. Schlichting, and Carlos A. Ugarte

Overview

Traditional security services– Single method to guarantee security attributes– Single point of vulnerability

Use redundancy to increase survivability– Implement using multiple methods– Implement in ways that can vary unpredictably

Requirements

Appropriate techniques System support

Techniques

Use multiple methods to enforce security attribute– If one method remains intact, attribute remains

uncompromised

Methods need to be independent– Use of same key by different methods can

result in both being defeated

Example - Secure Messaging

Encrypt messages with different methods– Use DES, then IDEA– Alternate the sequence of applying DES and

IDEA for different messages– Apply different methods to different parts of

message

Both methods would have to be identified and broken to compromise data

System Support

Simplifies redundancy based survivability techniques using the appropriate software customization framework.

Automation of techniques

Example - SecComm

SecComm– A highly configurable secure communicate service

– Implemented using Cactus

Cactus– A framework for software customization

– Constructs configurable network protocols and services

– Implements each service property as a separate software module (called a micro-protocol)

Security Properties

Basic– Authenticity

– Privacy

– Integrity

– Non-repudiation

Attack Specific– Replay prevention

– Known plain text attack prevention

                              

Basic Security Micro-protocols (MPs) Individual methods that can be utilized Addresses security properties Allows different abstract service properties

and their variants to be implemented as independent modules

Meta-security MP’s

Applying multiple or alternating basic security micro-protocols

Selected based on the desired properties Creates a complex protocol

– Key feature to enabling redundancy for survivability

Examples of Meta-security MP’s

MultiSecurity– Applies multiple basic security MP’s to a

message in sequence AltSecurity

– Applies one MP to each message, sequentially from a predetermined list

RandomAltSecurity– Randomly chooses the method for each

message

Trade-offs

Performance Configuration constraints

                                                

                                           

Why is this important?

Needs to be considered when designing architecture

Can reduce the potential for compromise– Security through obscurity– Use of available technology

Questions