Lehrstuhl für Netzarchitekturen und NetzdiensteInstitut für InformatikTechnische Universität München
Authenticated addressing in networks
Supervisors TUM:MarcOliver Pahl,Heiko Niedermayer,Andreas Müller,Holger Kinkelin
Diploma thesis semifinal presentation
Blaž Primc, University of Ljubljana
2Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1• Task 2• Task 3• Task 4
Outlook
3Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1• Task 2• Task 3• Task 4
Outlook
4Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Goals
Authone project Autonomous functionality inside (home)networks
• Prerequisites– Network entity addressing– Network entity identification
Diploma thesis Goal: provide Authone framework with capabilities for
• Network entity addressing• Network entity identification
5Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1• Task 2• Task 3• Task 4
Outlook
6Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Home network
Network entities Users Devices Home gateway
7Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Identities
Identity is... based on public key cryptography signed by issuing special node
Special node(s) (e.g. home gateway) Issues identities Each network entity must be registered Provides lookup service
8Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Home BBobPDA
Addressing
EntityID is... hash over entity’s public key
Authone address... consists of entityIDs
• entityID.homeID.authone is bounded to identity supports interhome addressing
Lookup service Translates Authone address to IP address Provided by special node(s) (e.g. home gateway)
BobPDAID = hash(pubkeyBobPDA)HomeBID = hash(pubkeyHomeB)
Authone address = BobPDAID.HomeBID.authone
IP address
Identity
EntityID
9Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1: entity registration• Task 2: address lookup inside home network• Task 3: establish trust relationship between homes • Task 4: address lookup outside home network
Outlook
10Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 1: entity registration
Goals Register new device at home network
Procedure User
• Fills new device registration request details Unregistered device
• Sends registration request details to home gateway Home gateway
• Creates identity• Updates DNS records• Sends identity to the new device
11Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 1: entity registration
Goals Register new device at home network
Afterwards we can Address the new device using the Authone address Identify the new device
BobLaptopUnregistered device
12Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1: entity registration• Task 2: address lookup inside home network• Task 3: establish trust relationship between homes • Task 4: address lookup outside home network
Outlook
13Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 2: address lookup inside home network
Goals Resolve Authone address to IP address
Procedure Registered device
• Sends DNS query to home gateway Special node (e.g. home gateway)
• Local DNS answers
DNS query
DNS response
Logged on BobLaptop at Home B:$ dig @HomeB BobPDA.authone
BobPDA
BobLaptop
14Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1: entity registration• Task 2: address lookup inside home network• Task 3: establish trust relationship between homes • Task 4: address lookup outside home network
Outlook
15Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 3: establish trust relationship between homes
Goals Securely exchange identities between homes
Challenges No preestablished security context Secure exchange of information over wireless
Procedure Authenticated DiffieHellman key exchange Identity exchange and verification
Home A
Home B
Device A
Home A
Device B
Home B
16Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 3: establish trust relationship between homes
Goals Securely exchange identities between homes
Procedure: Authenticated DiffeHellman key exchange Device A and Device B perform DH key exchange and hash DH secret key
• Device A displays 1st part of hash (ABCD) • Device B displays 2nd part of hash (EFGH)
User A and User B verbally exchange hashes and enter them into devices• User A enters 2st part of hash to Device A (EFGH)• User B enters 1st part of hash to Device B (ABCD)
Device A and Device B verify if input matches the calculated hash
Home A Home B
DH key exchange
ABCD EFGHABCD EFGHVerbal exchange
OK.
OK.
17Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 3: establish trust relationship between homes
Goals Securely exchange identities between homes
Procedure: Identity exchange and verification Device A sends Home A and Device A identity Device B
• Validates presented identities• Sends a challenge to Device A
Device A responds to challenge Device B verifies response and stores the identities
Home A Home B
Challenge
ResponseDevice A
Home A
18Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1: entity registration• Task 2: address lookup inside home network• Task 3: establish trust relationship between homes • Task 4: address lookup outside home network
Outlook
19Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 4: address lookup outside home network
Goals Resolve foreign home Authone address to IP address
Challenges How do we contact Home B from Home A?
Home A
Home B???THE INTERNET
Logged on AlicePDA at Home A:$ dig @HomeA BobPDA.HomeB.authone
20Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 4: address lookup outside home network
Goals Resolve foreign home Authone address to IP address
Solution Distributed Hash Table
• Overlay network• Provides lookup service similar to hash table (key,value)• Keybased addressing of DHT nodes
Put all home gateways in one DHT• HomeID is the home gateway’s address in DHT• Homes with trust relationship can find and securely communicate with one
another– Possession of public key: we can generate entityID, thus we can address home
gateway in DHT
entityID = hash(public_key)
Identity
21Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Home B
BobPDA
Home A
AlicePDA
DHT
Task 4: address lookup outside home network
Goals Resolve foreign home Authone address to IP address
DNS query
DHT query:Home B tell meyour IP and port
DHT reply:My IP and port
DNS query:Forwards Device A’s
DNS query
DNS reply
ForwardDNS reply Logged on AlicePDA at Home A:
$ dig @HomeA BobPDA.HomeB.authone
22Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Task 4: address lookup outside home network
Demo
23Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Presentation overview
Motivation Goals
Diploma thesis Concepts
• Home network• Identities• Addressing
Tasks• Task 1: entity registration• Task 2: address lookup inside home network• Task 3: establish trust relationship between homes • Task 4: address lookup outside home network
Outlook
24Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
Outlook
Work still in progress Authone framework fundamental part
25Diploma thesis: Authenticated addressing in networks | Oct ‘08 – Feb ‘09 | Blaž Primc, University of Ljubljana
The end
Thank You!