the integration of the bundle security protocol features into dtn2
DESCRIPTION
The Integration of the Bundle Security Protocol Features into DTN2. Walter J. Scheirer and Prof. Mooi Choo Chuah Department of Computer Science and Engineering Lehigh University. References:. Bundle Security Protocol Specification draft-irtf-dtnrg-bundle-security-00, June 8, 2005 - PowerPoint PPT PresentationTRANSCRIPT
The Integration of the Bundle Security Protocol Features
into DTN2
Walter J. Scheirer and Prof. Mooi Choo Chuah
Department of Computer Science and Engineering
Lehigh University
References:
Bundle Security Protocol Specification draft-irtf-dtnrg-bundle-security-00, June 8, 2005
Bundle Protocol Specification draft-irtf-dtnrg-bundle-spec-03.txt, July 2005 * draft-irtf-dtnrg-bundle-spec-02.txt, Sept. 2004
DTN2 Sept. 6, 2005 CVS revision Current
Major Features
Bundle Authentication Header (BAH)Payload Security Header (PSH)Confidentiality Header (CH)Bundle Fragmentation/Reassembly
Summary of Technical Approach
Bundle Authentication Header (BAH) The BAH is used to assure the authenticity of the bundle
along a single hop from sender to recipient Payload Security Header (PSH)
The PSH is used to assure the authenticity of the bundle from the PSH security source, which creates the PSH, to the PSH security destination, which verifies the PSH authenticator
Confidentiality Header (CH) The CH is used to indicate that the bundle payload has
been encrypted while en route between the CH source and the CH security destination
Summary of Technical Approach
Each node will turn on the optional security-related delivery option parameters if it desires certain security features - if it desires confidentiality, then a CH header
must be applied to the bundle if it desires authentication, a PSH and/or a BAH
must be applied and the relevant parts of the bundle digitally signed or MACed appropriately
Bundle with security headers
BAH(w/ signedHash value
All other Headers
PrimaryBundleHeader
PayloadClass
Len.Payload
AE78F98D567BB32CAD5F4D
PSH(w/ signed
Hash value)
Confid.Header
567BB32 CAD5F4DAll other Headers
PrimaryBundleHeader
Len.PayloadSegment
Size
PayloadHashSize
Toilet PaperCiphersuite
ID
Formatflag
Key ID(optional)
Len. 0
BAH
All other Headers
PrimaryBundleHeader
PayloadClass
Len.Payload
AE78F98D
PayloadSegment
Size
PayloadHashSize
Toilet PaperCiphersuite
ID
Formatflag
NextHdr
Key ID(optional)
Len. 0PSH
(w/ signedHash value)
BAH
FragmentHeader
(offset=9)
NextHdr
PSH, confidentiality header and payload class field deleted from successive fragments
Authent. ofHdr & payload
segment
Authent. ofHdr & payload
segment
FragmentHeader
(offset=0)
Authent. ofHdr & payload
segment
Confid.Header
Challenges faced in fragmentation scenario:
Implementation Details
Ciphersuites Have been implemented using the OpenSSL (v.
0.9.7a, Fedora Core 2) library Significant code addition to
servlib/bundling/BundleProtocol.cc
BAH EntireBundleHMAC, HeadofBundleHMAC,
HeadOfBundleSig, EntireBundleSig, EntireBundleMAC
Implementation Details
PSH EntireBundleHMAC
CH Payload Encryption - Blowfish
Support different combinations of Headers BAH, PSH, CH; BAH and PSH; BAH and CH
Implementation Details
Security Headers
populate header fields
apply ciphersuite
append to bundle
Sending
parse header fields
apply ciphersuite
verify integrity
Receiving
Implementation Details
Protocol Stack
Bundle Transmitted
BundleProtocol.cc /
format_headers()
build CH
build PSH
build BAH
TCP Convergence Layer Bundle Received
BundleProtocol.cc /
parse_headers()
check CH
check PSH
check BAH
TCP Convergence Layer
Questions?