Tuesday, June 14, 2011

Universal Solution considerations for Insecure Communications Media



Sometimes the largest hammer is used to conduct the finest tuning.

Ipsec is defined in RFC's 2401, 2409, 4301 and 4308. [IETF]i; IPSec's goal is to secure two communicating parties or networks via either an application to gateway or gateway to gateway communications. Where possible virtual private networks are created by the use of IPSec within organizations that maintain multiple campuses or offices. IPSec secures the entire TCP/IP stack by encapsulating all communications above layer 3 for either host to gateway or gateway to gateway or even network to network communications between two gateways.

XML is a standard upon which the web 2.0” functions; it's a subset of SGML and it's goal is to act as a standard to serve and process content, the “Semantic web” as Burns-lee describes it is composed primarily of servers interchanging and presenting data from various servers of SGML. XML is defined by the W3C and is a standard used to define and markup data to improve interoperability between web-pages and browsers in a standardized format.[W3C]ii Most websites dynamic or otherwise on the internet today use XML with one or more dynamic content languages. XML may be secured by various methods including using TLS or by using the ECDSA algorithm which is based in ECC based digital signatures [IETF]iii and XMLRPC is a formal data interchange standard.

S/MIME is a method used to secure Internet e-mail operations between compatible mail transfer agents as to ensure that the mime components of e-mail messages may not be compromised by anyone with access to the data in transit by using Public Key Infrastructure and X.509 based certificates. It's outlined in PCKS#7[RSA]iv and the IETF standards 3369, 3370, 3850 and 3851.[IETF]v S/MIME uses PKI to secure packets of e-mail in transit form one MTA to another MTA.

TLS is another standard widely implemented used primarily to secure web-sessions between a client and a server that also rely upon public key infrastructure. XML is usually secured with the use of TLS on the server serving content to web-sessions or clients. TLS is defined in RFC 5246.[IETF]vi

Ipsec, TLS, ECDSA and S/MIME are standards and protocols that utilize efficient encryption to prevent external parties from viewing content in transit across a network of given nodes that may be hostile. This is refereed to as the Byzantine general problem. These protocols are not redundant but they are also not exclusive; each protocol serves a specific function with respect to communications between two parties.

IPSec will encapsulate S/MIME, TLS and SSL connections although doing so is not very efficient use of the given communications bandwidth on the network in question.

S/MIME and TLS will encapsulate XML based content in transit but it relies upon the client's level of trust with respect to public key infrastructure. ECDSA can be implemented to secure XMLRPC components with dynamically presented content where the origins are varied separate systems.

The common theme among all of these standards and protocols with the exception of XML is that they are designed to secure communications across an Ipv4 network, IPSec was originally designed for IP v6 as the IETF projected IP v4 address exhaustion in 1998. IP v6 is defined in RFC 2460 and is a newer and backwards compatible networking protocol with IP v4 that incorporates native IPSec support.vii It's a replacement for Layer 3 communications within TCP/IP designed to meet the address assignment problems with IP v4.

Therefore we may assume that IP v6 can facilitate the adoption of a universal security standard; however even IP v6 has security considerations that must be addressed since it's not in widespread use and adoption rates are slow IP v6 contains many issuse's that need to be addressed. Vogel et al state that PKI for IP v6 is not widely adopted nor is IPSec adequate protection for integrity, Dual stack facilitates attackers hiding behind IP v4 NAT and gateways; there are also 16 methods to generate an address in IP v6 as such it may also be subject to spoofing attacks, in addition to this v6 uses computationally weak cryptographic checksums for integrity.[VD]viii

Thus there may exist even within IP v 6 the need for TLS and S/MIME as standards to add further layers of security onto business critical functions such as messaging and web-sessions.

The nature of a single security solution being universal to the entire Internet would require formal implementation and standardization of “Insecure Provably secure network coding”[WY]ix and “Perfectly Secure Message Transmission”[WY]x and “Secure communication in multi-cast channels”[WY]xi, once ratified these methods in conjunction with the existing methods in IP v6 would become a perfectly secure universal communications standard at the Nework Layer. There still lie issues with Identity management, this is an NP-Hard problem as the “Chinese delivery room” is still within the bounds of consideration for Identity when a computer is bieng used by a human; basically regardless of the level of effort every authentication system given enough time, effort and resources can be compromised in some way; allowing an attacker to impersonate or abuse another's identity and on-line addresses.

The issues that surround network security are around the enforcement of Law with respect to the source of most intrusions; since the Internet is global in nature failed states and states that do not maintain anti-fraud or computer abuse laws pose a threat to those that do; as the industrialized nations have no recourse outside of the communications network to peruse damages. Therefore it behooves us to ensure that the triumvirate of the Confidentiality, Integrity and Authenticity of all network communications are maintained for all authorized communications with respect to all parties engaging in business or research on line; this is one of the main reasons behind the development of the “Internet 2”; since Internet 1 has issues with both security and abuse.
i[IETF] Hoffman, P; (IETF, Network Working Group, 2005) Cryptographic Suites for IPSec [Online] World Wide Web, available from: http://tools.ietf.org/html/rfc4308 (Accessed on June 14th 2011)
ii[W3C] Bray, Tim; Paoli, Jean; Spearberg-Mcqueen C. M.; Maler, Eve; Yergeau, Francois (W3C, 26th November 2008) Extensible Markup Language (XML) 1.0 (Fifth Edition) [Online] World Wide Web, Available from: http://www.w3.org/TR/2008/REC-xml-20081126/ (Accessed on June 14th 2011)
iii[IETF] Blake-Wilson, S; Karlinger, G; Kobayashi, T.; Wang, Y.; (IETF, UNCC, NTT, CIO Austria, BCI, April 2005) Using the Elliptic Curve Signature Algorithm (ECDSA) for XML Digital Signatures [Online] Availble from: http://www.ietf.org/rfc/rfc4050 (Accessed on June 14th 2011)
iv[RSA]Kaliski Burton S Jr. Ph.D; Kingdon, Kevin W.; (RSA, May 13th 1997) Extensions and Revisions to PKCS #7 [Online] PDF Document, Available from: http://www.rsa.com/rsalabs/node.asp?id=2129 (Accessed on June 14th 2011)
v[IETF] Ramsdell, B; (IETF, Sendmail Inc. July 2004) Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification [Online] World Wide Web, Available from: http://tools.ietf.org/html/rfc3851 (Accessed on June 14th 2011)
vi[IETF] Dierks, T; Rescorla, E. (IETF, RFTM, August 2008) The Transport Layer Security (TLS) Protocol Version 1.2 [Online] World Wide Web, Available from: http://tools.ietf.org/html/rfc5246 (Accessed on June 14h 2011)
vii[IETF] Deering, S; Hinden, R (IETF, Cisco, Nokia, December 1998) Internet Protocol, Version 6 (IPv6) Specification [Online] World Wide Web, Available from: http://tools.ietf.org/html/rfc2460 (Accessed on June 14th 2011)
viii [VD] Vogel, Dennis; Grossetete Patrick (Cisco, North American IP v 6 summit, 2003) IP v 6 Security Considerations [Online] PDF Docment, Available from: http://www.cuba.ipv6tf.org/pdf/na_ipv6_summit.pdf (Accessed on June 14th 2011)
ix[WY] Wang, Yonnge; (UNCC, November 23rd 2010) Insecure “Provably Secure Network” and Homorphic Authentication Schemes for Network Coding [Online] PDF Document, Available from: http://coitweb.uncc.edu/~yonwang/ (Accessed on June 14th 2011)
x[WY] Wang, Yonnge; Desmedt, Yvo;(UNCC, November 23rd 2010) Perfectly Secure Message Transmission Revisited. [Online] PDF Document, Available from: http://coitweb.uncc.edu/~yonwang/ (Accessed on June 14th 2011)
xi[WY] Wang, Yonnge; (IEEE Transaction on Information Theory 54(6):2582—2595, June 2008) Secure communication in multi-cast channels [Online] PDF Document, Available from: http://coitweb.uncc.edu/~yonwang/ (Accessed on June 14th 2011)

No comments:

Post a Comment