The Integration of the Bundle Security Protocol Features into DTN2
11 Slides120.00 KB
The Integration of the Bundle Security Protocol Features into DTN2 Walter J. Scheirer and Prof. Mooi Choo Chuah Department of Computer Science and Engineering Lehigh University
References: Bundle draft-irtf-dtnrg-bundle-security-00, June 8, 2005 Bundle Security Protocol Specification Protocol Specification draft-irtf-dtnrg-bundle-spec-03.txt, July 2005 * draft-irtf-dtnrg-bundle-spec-02.txt, Sept. 2004 DTN2 Sept. 6, 2005 CVS revision Current
Major Features Bundle Authentication Header (BAH) Payload Security Header (PSH) Confidentiality Header (CH) Bundle Fragmentation/Reassembly
Summary of Technical Approach Bundle Authentication Header (BAH) The BAH is used to assure the authenticity of the bundle along a single hop from sender to recipient Payload Security Header (PSH) The PSH is used to assure the authenticity of the bundle from the PSH security source, which creates the PSH, to the PSH security destination, which verifies the PSH authenticator Confidentiality Header (CH) The CH is used to indicate that the bundle payload has been encrypted while en route between the CH source and the CH security destination
Summary of Technical Approach Each node will turn on the optional security-related delivery option parameters if it desires certain security features if it desires confidentiality, then a CH header must be applied to the bundle if it desires authentication, a PSH and/or a BAH must be applied and the relevant parts of the bundle digitally signed or MACed appropriately
Bundle with security headers Primary Bundle Header All other Headers BAH (w/ signed Hash value PSH (w/ signed Hash value) Confid. Header Payload Class Len. Payload AE78F98D567BB32CAD5F4D Challenges faced in fragmentation scenario: BAH Primary Fragment Toilet Paper Payload Payload PSH Authent. of All other Next Format Key ID Confid. Payload Payload Bundle Header Len. Ciphersuite Segment Hash 0 (w/ signed Len. Hdr & payload Headers Hdr flag (optional) Header Class AE78F98D Header (offset 0) ID Size Size Hash value) segment BAH PSH, confidentiality header and payload class field deleted from successive fragments Primary Fragment Toilet Paper Payload Payload Authent. of Authent. of All other Next Format Key ID Bundle Header Len. Ciphersuite Segment Hash 0 Len. Hdr & payload Hdr & payload Headers Hdr flag (optional) 567BB32 CAD5F4D Header (offset 9) ID Size Size segment segment
Implementation Details Ciphersuites Have been implemented using the OpenSSL (v. 0.9.7a, Fedora Core 2) library Significant code addition to servlib/bundling/BundleProtocol.cc BAH EntireBundleHMAC, HeadofBundleHMAC, HeadOfBundleSig, EntireBundleSig, EntireBundleMAC
Implementation Details PSH EntireBundleHMAC CH Payload Support BAH, Encryption - Blowfish different combinations of Headers PSH, CH; BAH and PSH; BAH and CH
Implementation Details Security Headers Sending Receiving populate header fields parse header fields apply ciphersuite apply ciphersuite append to bundle verify integrity
Implementation Details Protocol Stack Bundle Transmitted BundleProtocol.cc / format headers() TCP Convergence Layer BundleProtocol.cc / parse headers() build CH check BAH build PSH check PSH build BAH check CH TCP Convergence Layer Bundle Received
Questions?