1-4244-0674-9/06/$20.00 ©2006 IEEE.

A Thin Security Layer Protocol over IP Protocol on TCP/IP Suite for Security Enhancement

Mohammad Al-Jarrah

Computer Engineering Department, Hijjawi Faculty for Eng. technology, Yarmouk University,

Irbid 21163 – Jordan jarrah@yu.edu.jo

Abdel-Karim R. Tamimi Computer Engineering Department, Hijjawi

Faculty for Eng. technology, Yarmouk University, Irbid 21163 – Jordan

artgreenme@yahoo.com

Abstract In this paper, we proposed a security enhancement for TCP/ IP suite. This enhancement adds three modules to TCP/IP. These are security policy, security control, and data security layer. Unlike IPsec, which plugs all security enforcements into IP layer, the proposed architecture distributes the proposed module into their relevant layer. The security policy belongs to application layer, and the security control and management located in the transport layer. The data security layer is located between the transport layer and the IP layer. Security policy interacts with system administrator to define the policies and roles of security to be applied in data communication. Security control module provides the means to apply the security policy defined in security policy module and establishes a secure channel. it uses four-way handshaking and public key cryptography (PKC) to create virtual secure connection and security entity (SE). SE holds the secret key cryptography (SKC), addresses of two hosts that share this SKC, and other vital information necessary to carry out a secure data communication. For data security, we proposed a thin security protocol (TSP) over IP protocol. TSP protocol encrypts and encapsulates the coming transport layer packet into TSP packets. The TSP packet header consists only of two fields each of them is one bytes. The first field identifies the TSP packet types such as public key request, public key acknowledgement (ACK), and secret key and secret key ACK, The second field carries information about the transport layer protocol. In TSP design and implementation, our concern was to minimize the overhead added to IP including traffic volume and transmission delay. In term of data size, TSP adds only two bytes as TSP header. Index Terms — secure protocol, Encryption, internet security, secure channel.

1. Introduction

In today’s Internet, TCP/IP suit is used for communications. It enabled millions of computers to communicate globally. Since the first implementation of the TCP/IP suit, the users have suffered from the lack of secure data transfer via the Internet [2,3,8,9]. Unfortunately, TCP/IP suite which is the de facto standard for internet manages security with many other issues in the application layer making it a very thick one. Hence more, this means that the security problem needs to be solved by application developer whose consternation mainly on the main task of their application.

To overcome this problem; many protocols have been introduced to face the growing expansion of the internet and the need to secure the data transfer in the face of the hackers and sniffers attacks. SSL, IPsec and other protocols were introduced to accomplish the security task [1,4,5,6,7]. SSL is concentrating on providing a secure connection as a part of the Application layer.

IPsec added all security requirements into the IP layer achieving security transparency with respect to users and securing the entire IP packets including the upper protocols [4]. Enlarging the IP layer in the way complicates the implantations. In fact, it is perhaps one of the most complicated and confusing security standards ever put forward for universal implementation. Finding IPsec compliant products from two different vendors, which interpolate has been a difficult task, even after seven years from the first IP security proposal. Moreover, IPsec added two many overheads to the communication via he Internet through using heavy headers such as AH and ESP.

In this paper we proposed modular and comprehensive security architecture. Our proposed architecture does not plug all security modules on IP layer. Moreover, our proposed networking architecture is compatible with implemented TCP/IP protocol. This means that any two workstations using the proposed architecture can communicate with each other through

-0674-9/06/$20.00 ©2006 IEEE

the internet even though no device in the middle implements the proposed architecture. After that this paper focuses on data security layer, which is located between the transport and the IP layer.

In the following section, we will study the security issues and relates it to communication module via the Internet. In section III, we will discuss the proposed architecture of for secure communication via Internet using TCP/IP stack as a reference. The data security layer, which is the theme for this paper is discussed in detail in section IV. Section V includes the conclusion. 2. Data Transmission Security over

Internet

For better use of Internet, the infrastructure for communication including all means of networking such as protocols, networking devices such as routers and gateways, and application should provide a satisfied secure environment. This environment should provide users of measure to define the security requirements and satisfactions.

Security flaws of communication via Internet have been studied thoroughly [2,3, 7]. Accordingly security can be divided into two categories. First category is called data security. Undesired users or hosts can sniff data transmitted via the Internet. The data can reach undesired users or hosts due to its travel through the Internet. It passes many points that are not completely trusted. Many hosts and user have access to such points and they may have the ability to snap a copy of the data. The second category includes unauthorized users or hosts to connect to private data units. Those unauthorized users can exchange data via the Internet with these private units. Moreover, private unit may communicate with unauthorized users thinking that it communicate with the proper one.

In this paper, we proposed security enhancement to TCP/IP suite by merging into it three modules to provide more secure environment. As discussed in detail in the following section, the first module considers the user security requirements and satisfaction. The second one is security control and management module, and the third one solve the data security problem. 3. Proposed Security Enhancement to

TCP/IP Suite

In this paper we proposed modular and comprehensive security architecture. Our proposed architecture does not plug all security modules into IP layer. Moreover, our proposed networking architecture is compatible with implemented TCP/IP protocol. This

means that any two workstations using the proposed architecture can communicate with each other through the Internet even though there is not any devices in the middle implements the proposed architecture. After that this paper focuses on data security module, which is one module of the proposed security system. The proposed structure is shown in Figure 1. The first module, which is policy management unit, interacts with system administrator. The second module, which is security control and management, provides the data security layer with all facility required to achieve its goal. The third module, which is data security module, is responsible to overcome data security.

3.1. Security Policy Module

Security policy module lies on the application layer with respect to TCP/IP suite and interacts with users to define the proper security requirements. Security requirements are a high level of abstraction for security services provided by this architecture. This security policy are stored and used by security control and management module to define the actions that should be accomplished for each communication session.

3.2. Security Control and Management Module

Security control and management module gets security requirements from its upper layer, which is security policy module. Based on the requirements, this

Figure 1. Proposed security enhancement architecture for TCP/IP suite.

-0674-9/06/$20.00 ©2006 IEEE

module acts on each communication session. Security control and management module is responsible on providing the means required by data security layer. It creates a security entity (SE) for each communication session. SE contains an address of the sender, an address of the receiver, symmetric encryption key, encryption algorithm, compressing algorithm, compressing enable, and SE lifetime for which this SE will stay a live in security control cache. The security control establishes SE for sessions that do not have a live SE and for the sessions how’s SE has been expired. The challenge to establish a secure connection for the first time is overcame by using asymmetric encryption algorithm. Figure 2 shows a four-way handshaking approach to establish a secure connection and exchange symmetric encryption keys between the sender and receiver.

As illustrated in Figure 2, when host A needs to send data to host B through data security layer, it sends a Public key Request to B. Session Encryption and compression algorithms are stated in this packet. Depending on B decision in accepting host A request, the response will be either an end connection packet to indicate that host B does not accept the request. On the other hand, if host B accepts the request, it sends a Public key acknowledgment (ACK) packet that holds the public key for this session. Then, host A responds with secret Key packet holds the symmetric key for the encryption process. This symmetric key is encrypted using the received public key obtained in the prior step. Finally, host B replies a secret key acknowledgment (ACK) packet to inform host A that the secret key has been accepted.

If the SE has been expired and the communication session is not terminated yet, security control needs to re establish new SE entity. Based on the security policy, the new SE can be established using previous symmetric encryption key or using four-way handshaking approach. If using aging SE to reestablish new SE is possible, the establishment process should start and complete before the aging one get expired.

3.3. Data Security Layer

Data security layer uses symmetric data encryption algorithm. The symmetric key used in this layer is provided by security control module. As described in the security module, for each communication session there is security entity (SA). Hence more, data security layer may uses data compressing algorithm to reduce the size of the encrypted data. We used data compressing because that some encryption algorithm output size is larger than input data and the overhead added by compressing is accepted by security policy defined by the system administrator. In fact the encryption algorithm output size is larger the input size in the case of the input size is small.

For data security layer, we proposed a thin light protocol. We implemented and tested this protocol. The following section introduces the proposed protocol and discusses its impact on the TCP/IP suite. 4. Thin Security Protocol

Thin secure protocol (TSP) intends to provide data security for all packets coming from transport layer. It encrypts transport layer packets using symmetric encryption algorithm as Shown in Figure 1. The TSP header is only two bytes. The first one holds protocol vital information and the other preserve transport layer protocol type such as TCP or UDP. TSP two bytes header are specified in details in Figure 3.

The first byte contain TSP type field, which is 5-

bits long; it holds the type of TSP packet that is

Figure 3. TSP protocol header.Figure 2. Exchanging symmetric encryption key using

four-way handshaking.

-0674-9/06/$20.00 ©2006 IEEE

transmitted. TSP types are public key request, public key acknowledgment (ACK), secret key, secret key ACK, end connection, and end connection ACK packet. The rest of the first byte is used as indication flags, the first one which is denoted as “Include Trans. Layer” specifies wither this TSP packet has encrypted transport layer header or it is outside the encryption boundaries. The second bit denoted “Compress Packet” indicates if this packet is compressed. Compressing packet data is done after encrypting it. So it works as an indicator to allow the post-decryption handler to decompress the received data. The last bit is reserved for future utilization. The second byte, which indicates the upper layer protocol, is an identical field to the one in the original IP header. The upper layer protocol field is filled with 255 to indicate that TSP protocol is used. The proposed security enhancement for TCP/IP has been implemented for windows 2000 operating system. We used visual studio .Net to implement our proposed modules for windows 2000. Moreover, we implemented it using c language for Linux operating system. The conducted experimental results showed that the TSP overheads added to transmission delay is very small and most case is negligible. Results of our experiments using Linux operating system are much better than the results of experiments of windows 2000. This is due to the fact that we used C language which adds less overheads compared to object oriented language such as C#. Finally, we concluded that TSP protocol provides the necessary security for TCP/IP suite with very little performance degradation.

5. Conclusion

In this paper, we proposed a comprehensive security enhancement for TCP/IP suite. In this new structure of the TCP/IP we added three modules. These modules are: security policy, security control and data security layer. Security policy module belongs to the application layer. Security policy module gets the required security roles from administrators. Security control role is to monitor the security in the system and provide all means for data security layer to achieve high security measure. Its responsibility to build a secure connection and maintain it between communicating hosts. It uses four-way handshaking and public key cryptography (PKC) to create virtual secure connection and security entity (SE). SE holds the secret key cryptography (SKC), and addresses of two hosts that share this SKC. The responsibility of the data security layer is to transmit upper layer data encrypted using symmetric encryption algorithm. All required information to achieve this goal is stored in the SE located in the security control unit. To accomplish the goal of data security layer, we proposed

a thin security protocol (TSP) that encrypts and encapsulates the coming transport layer packet into TSP packets. The TSP packet header consists only of two fields each of them is one byte. The first field identifies the TSP packet types such as request, acknowledgement, transport layer data, or channel terminating packets. The second field carries information about the transport layer protocol. TSP protocol minimizes the overhead added to IP including traffic volume and transmission delay. In term of data size, TSP adds only two bytes as TSP header. Hence more, TSP compresses the encrypted data before sending it.

The proposed security enhancement for TCP/IP has been implemented for windows 2000 operating system and Linux operating system. The conducted experimental results showed that the TSP overheads added to transmission delay is very small. Finally, we concluded that TSP protocol provides the necessary security for TCP/IP suite with very little performance degradation. 6. References

[1] A. Inoue, M. Ishiyama, A. Fukumoto, and T.

Okamoto, “Secure mobile IP using IP security primitives,” Proceedings Sixth IEEE workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 235 – 241, 1997.

[2] A. Yasinsac, and J. Childs, “Analyzing Internet Security Protocols,” Sixth IEEE International Symposium on High Assurance Systems Engineering, Boca Raton, Florida, October 2001.

[3] S.M. Bellovin “Security problems in the TCP/IP protocol suite,” Computer Communication, vol. 19, no. 2, pp. 32-48, April 1989.

[4] R. Takahashi and J. Davis, The IP Security Protocol and its Impact on the Network,” Corrent White Paper Series, August 2003.

[5] Y. Zhang, “A Multi-Layer IP Security Protocol for TCP Performance Enhancement in Wireless Networks,” IEEE Journal on Selected Areas in Communications, vol. 1, no. 1, 2004

[6] P. Cheng, J. A. Garay, A. Herzberg, “A security architecture for the Internet Protocol,” IBM System Journal, vol. 37, no. 1, 1998.

[7] J. Sierra, J. Hernandez, A. Ribagorda, and N. Jayaram, “Migration of Internet security protocols to the IPSEC framework,” Proceedings. 36th Annual 2002 International Carnahan Conference on Security Technology, pp. 134-143, 2002.

[8] I. Hajjeh, M. Badra, and A. Serhrouchni, “Building a secure and extensible protocol for

-0674-9/06/$20.00 ©2006 IEEE

wired and wireless environments,” IEEE 61st Vehicular Technology Conference, vol. 5, pp. 3004-3008, VTC 2005.

[9] Y. Zhang “A multilayer IP security protocol for TCP performance enhancement in wireless

networks,” IEEE Journal on Selected Areas in Communications, vol. 22, issue 4, pp. 767-776, May 2004.