INLINE NETWORK ENCRYPTION FOR
MULTIMEDIA WIRELESS LANS
Aura
Ganz*,
Se Hyun
x Multimedia
ECE
Park*,
Wireless
Department,
and
LAN
University
Amherst,
xx AIM
Ganz**
of Massachusetts
MA
ganz,shpark@Nikva
Zvi
Laboratory
01003
.ecs.umass.edu
Engineering
Inc.
zviQaime.com
case these
ABSTRACT
To secure
real-time
is pertinent
vices
in
uate
to implement
soflware
for
Layer
Service
wireless
Windows.
real
that
various
LANs
distributed
software
encryption
processing.
throughput
from
work,
ser-
algo-
LAN.
run
on
We present
the inhne
such
of various
the
2 for
algorithms
as video
data
con-
bases and
show
encryptors
fective
delivery
that
provides
by the above applications.
of these
In
1997 the
Wireless
was approved
dio
with
trum
employ
Wireless
Local
driven
as:
by
communication
consider
(SS)
radio
is very costly
Savings
without
need
the
installation
In these
process
to
Wireless
buildings
the
e.g.,
users
will
and
of exist-
or temporary,
admission
in front
to
3)
in hospi-
of the patient
the
in which
focus
require
on data
database
desk,
cost
effects
characteristics
4)
LAN
applications
the security
(DS)
SS and frequency
multimedia
like
applica-
videoconferencing.
of transmission
The
security
aspects
[11].
know
paging
guaranteed
service,
e.g.
of secure
through-
the
This
the
conferencing)
and
time
delay
variation,
for
system
services
provide
source
authors
security
direct
sequence
a chip
have
concluded
mechanism
the initial
spreading
intrusion
the
duration.
will
not
of multimedia
a more
interactive
strict
code like the
same
unde-
importance
applications
challenging
task.
applications
(e.g.
Quality
of throughput)
be
and implementa-
ion is of seminal
is even
the
area can
can be virtually
the design
been
that
in the same service
on the
and
The
SS distribute
of SS communication
with
(in terms
security
will
scarce
of Service
compete
network
rewith
and
resources.
data
rates
only
a number
Table
delay
information
is due to the fact that
we will
Spectrum
are also advantageous
since both
integration
services
Spec-
transmission.
(,FH)
communicant
Moreover,
The work was supported in part by NSF under contract number
CISE-CDA-9529462.
time
this
networks.
tively
maximum
and
paper
by another
hopping
The
[10]
and Ra-
techniques
jamming
[1], [3]. Therefore,
in wireless
In
put,
or detect
code
tectable
tion
only
802.11
Spread
of multi-pakh
Act ive intruders
Since the current
These
ef-
be severely
Spread
In this
spectrum
standpoint,
bits
video
Future
and
Infrared
or
employ
of SS modulation
flom
easily
which
to intentional
wit h security
of running
transactions.
need to support
teleconferencing,
applications
2) Extension
IEEE
layers,
techniques.
Spread
degrading
quirements
transfers
LANs
him
such
in which
etc.
examples
file
move
are
events
patients
is done
markets
or scenarios
temporary
be permanent
e.g.,
in old
is high,
email,
may
in terminals.
the
cables
for
or impossible,
which
tals in which
tions,
of applications
installation
ing networks
( WLAN)
quality
standard,
Narrowband
WLANS
techniques.
sufficient.
Networks
a number
1) LAN
wiring
Area
the
will
physical
either
use of SS as the
INTRODUCTION
met,
applications
LAN
for both
investigate ed in
I.
are not
degraded.
resist ante
encryptors
measurements
as required
in
WinSock
distributed
Our
implementation
enough
by
it
we eval-
are implemented
applications
collaborative
paper
encryption
of the wireless
multimedia
ferencing,
this
as defined
requirements
LANs
cryptographic
In
that
evaluated
is part
the throughput
time
based inline
Provider
The
each PC
in wireless
or hardware.
the use of soflware
rithms
for
communication
guarantees
low
ferencing,
Wireless
of up
LAN
to 10 Mbps,
technology
the
of multimedia
requirements
text
ht tp and
email,
the candidate
0-7803-4902-4/98/$10.00 (c) 1998 IEEE
can support
applications
bandwidth
1 shows
WLAN
can sustain
such
multimedia
applications
with
as video
relacon-
mail/notes.
with
their
re-
quired
throughput.
Inline
security
ofApplications
Types
plemented
service
either
in
crypts/decrypts
in
ted/received
tions
is defined
hardware
network
of NSA’S
crypt ographic
boxes
communication
high
by a number
MISSI
security
these
multimedia
[6].
in a very
WLANS
due
low
used
in portable
mostly
In this
paper
inline
encryptors
to the
data
rates,
may
not
WLANS
devices,
Table
characteristics:
and
low
LAN,
run
3)
implemental
ion
disadvantage
the computer
and
is that
system
implementation
based
It is important
flexible
upgrades.
by
impedes
the
the throughput
Wireless
and
different
each
using
service
provider,
are forwarded
we can
aware
of us●
penalties
encountered
by other
communication
use any
the
to the
the packets
are intercepted
using
by the
CryptoAPIs
application.
has
the
●
Of
off-the-shelf
do not
need
oft he fact that
that
following
advan-
applications,
Ibe modified
to
suitable
tion
and
network
to choose
made
techniques.
interface
a network
encryption
the
card,
interface
capability
either
or software
easy upgrade
course
need
i.e.,
we use encryption
incorporates
in hardware
in
protocol
by
provided,
is sent down
are decrypted
architecture
we do not
card
by a packet
is generated
and
we can use any off-the-shelf
i.e.,
this deter-
We also con-
1).
At the destination
to the
be-
tages:
for two computer
loads.
resides
IIayer service
application
in
and the lower-level
that
CryptoAPIs
layer
functions
[7] that
2 DLL
at the
protocol.
proposed
Provider
packet
algorithms
service
(see Figure
is intercepted
to this
●
we have implemented
is obtained
source,
encryption
crypto
Service
belong
The
as
WinSock
that
of a number
delay
of the encryption
the
proposed
for very
high
speed
may
hinder
throughput
algorithms
implement
at ion
networks
the
may
since
use of the
not
be
the encryphigh
speed
channel.
layers.
measurements
of various
show
encryptors
by the above
paper
the
algorithms
and their
performance
the
conclusions
implementation
enough
III.
throughput
In the
software
next
section
architecture.
The
Encryption
In this
subsection
in software
perimental
is depicted
III.
(B...),
software
are provided
analysis
based
necessary
inline
in Section
Section
IV.
encryptors.
for
Throughput
Experimental
Re-
sults
we have implemented
in Section
EXPERIMENTS
as
A.
as follows.
the performance
proper
software
applications.
proposed
encryption
also provides
that
provides
is organized
we describe
choosing
for Multimedia
software
provider
is encrypted
encryption
To make
caused
The
the
by the ap-
in the system
III
At
and
is limited
is determined
which
throughput
2 Layered
the principal
applications
sider additional
The
[4]
base transport
and
hard-
the suitability
requirements.
configurations
than
intensive
encryptors
algorithms
The
is part
above
for
which
that
we have measured
of encryption
our
CryptoAPI
base transport
key cryptography.
to understand
throughput
required
[
IMPLEMENTATION
implemented
using
application
encryptors
listed
configuration
as public
software
inline
its performance
of computational
such
that
it is cheaper
more
based
2 for Windows.
characteristics
ware
Our
Applications
SOFTWARE
WinSock
in the Layer
on each PC
Software
for WLANS
The
system
MPEG video
Candidate
II.
We
cost,
4) a distributed
by WinSock
advantages:
software.
1.
be the best
are implemented
has the additional
mination
64kbps
FI lZ8kbps - lMbps
I 1.54Mbps
LANs
shared
the use of software
which
algorithms
wireless
are suitable
plication
(
tween
as defined
evaluated
ing inline
audio
high-speed
of Mbps).
2) relatively
we investigate
Provider
algorithms
Applicafiom
videa con ferenctig
environment.
of the
< 103kbps
notes
Multimedia
telephone-quality
These
are usually
hardware
1) relatively
Service
Interactive
TACLANE
hundreds
boxes
applica-
the very high
and
family)
or
en-
transmit-
of computers.
choice
The
(tens
cost,
cryptography
mobile
into
are a necessity
Dedicated
for
FASTLANE
network
to their
plugged
e.g.,
I ~a
im-
that
packet
Some military
boxes
lines,
software
every
by the application.
(members
Due
or
real-time
use cryptography
speed
as a mechanism,
we provide
results,
we have
in terms
obtained
a description
of encryption
for
a number
of the
ex-
throughput
of encryption
algorithms.
To obtain
the encryption
computer
configurate
0-7803-4902-4/98/$10.00 (c) 1998 IEEE
ions:
throughput
we have used two
1) configuration
M 1:
Pen-
Throughpu,
I
hkasumd
Bulk
Etw@on
Al@?rifhms
I
Ml
M2
11
Memory
B
AwihUe
Resources
I
I
I
.%mdzwdWimock 2.0 DLL
I
.+kd”k
r---”---------------i---------------------!
:
Enc.
1 3il
Dec
f 4N
RG!
Enc
Dec
\ 3.6
I 3.5
RSA
Enc.
Da
, 8,6
RC2
!
............
CPU ~% ,h_,,
—
Table
I 161
Ml
: Pentium MMX 166MHz, 16M Main Memory, 512U L2 Cache,Window 95
M2
: Pentium Pro 2CQMHZ,32M Main Memory, 256K Ir,temal L2 Gcha, Windows NT
Enc
: Encryption
2.
Bulk
Dec
Encryption
: Decryption
Algorithms
Measured
Through-
put
i
Wi?zhs,
Network
M.+.
Cad
timedia
Figure
1. Software Inline
(ISLSP) Architecture
Secure Layered
Service
Provider
1) the
put,
applications.
wireless
166MHz,
and
Windows
95),
Pro
200MHz,
32M
cache and
We
16M main
and
have
encryption
RC2
(block
in
cipher),
and
We have
also integrated
other
symmetric
in the
and
RSA
processed
per second.
from
main
These
encryption
From
tools
2 we observe
encryption
the encryption
In
en-
use the
same
key.
much
slower
algorithms
the
number
main
of throughput
almost
and decryption
such as RSA
petition
on
WLAN.
Therefore,
Multimedia
Wireless
this
based
subsection
inline
for
WLANS
we
process
●
In
is in
●
for
time
support
effective
(bps),
i.e.,
and
com-
nodes
in
bandwidth
the WLAN
data
the
can be
rate.
by the application
(bps).
at the source(bps)
mul-
overhead
time
a packet
ical
layer,
and
transport
TDOH
at
in all
data
the
destination
layer,
layer).
This
delay
protocol
the time
overhead
spent
time
and
layers
driver,
to
(physnetwork
also includes
any
layers.
by a packet
includes
its
at the
required
:protocol
in these
This
time
clevice
delays
a packet
the
time
queueing
at the
required
delay
all the
layers.
Bs the maximum
source
rate at which
interface
a packet
rate
to the
ways a packet
0-7803-4902-4/98/$10.00 (c) 1998 IEEE
bandwidth
the source
card,
available
9 BD the maximum
data
by a packet
the
the
link
to process
imum
spent
includes
destination.
protocol
use of software
that
en-
by other
noise
other
throughput
This
maximum
the
from
this
less than
the
source.
queueing
LANs
we investigate
encryption
Encryption
incurred
channel
channel
decryption
w TSOH
ways
Inline
the
encryption
network
of Software
and
section),
bandwidth
the
throughput
in
throughput.
Suitability
effective
account
requested
throughput
algorithms.
into
B.n.
on output
the bottleneck
LAN
we take
B.PP bandwidth
for each bulk
identical
size (bits)
●
of
95/NT,
configuration
notations:
●
Ml
determinants
of Windows
packet
BW wireless
in
resources
2. Based
of
that
(bps)
reported
Available
the following
●
9 .B&C
of bytes
configurations
in terms
in the previous
overhead
with
D data
encryption
as through-
throughput
computer
(as shown
processing
significantly
than
consideration
such
layers.
●
key algorithm
measurements
for Table
the range
key algorithms
algorithms
protocol
algorithm.
of symmetric
B.
both
as the
are the
management
Table
public
that
encryption
loads.
memory
have determined
CryptoAPI:
are
imply
for two computer
the experiments
system
of
which
We measured
and M2 as well as different
and
number
cipher)
data
is defined
2 were taken
a
[5] public
above
layer.
which
CPU
and 4) additional
L2
.
the
throughput
choosing
Pent ium
internal
by
operations
decrypts
all
application
Table
(stream
algorithms
tested
ISLSP
which
decryption
encrypts
M2:
256K
provided
RC4
crypt ion
have
our
algorithms
which
cryption
We proceed
algorithms
symmetric-key
L2 cache
ion
memory,
into
QoS requirements
by the
512K
NT.
integrated
bulk
We
2) configurate
main
Windows
memory,
take
3) encryption/decrylption
is determined
MMX
will
characteristics
2) the applications’
throughput,
tium
We
LAN
assuming
at which
available
that
to be sent from
destination
application,
(bps),
the
the max-
PC sends data
bandwidth
destination
assuming
that
to the
there
is al-
the source.
(bps),
the
PC
sends
there
is al-
to be sent to the destination
Distance
Source
I
, Wireless
Channel
De4ination
I
:Ik!=l:l:a
Wrm”
TCPI’JP
I
‘c
‘“
DIBw
II ‘ttqE,...i..
I
NIC
: Netwmk
Grd
[nterke
D.1..
:
h
Zone for
2.
from
Application-to-Application
the
(A)
. the decryption
delay
(&)
To
2 depicts
using
sustain
the
Packet
end-to-end
with
bandwidth
packet
size D,
mzn(Bs,
now
widths,
compute
BD
the
13s and BD,
We compute
the
and destination
in all
source
PC.
required
by
an
there
spent
Since
one
layer
and
that
layers
and
a packet
DD
destination
band-
of the protocols’
at the source
CPU
(worst
(1)
over-
throughput.
by a packet
algorithms
is always
application
at the
source
and at the des-
handles
the
including
In
this
case we can
assuming
case computation)
loads,
from
BdeC
(2) and
equations
=
z&”
deci-
software
encryption
with
TSOH
use this inline
software
encryptor
(Fig-
For example:
for a videoconferencing
wireless
bandwidth
LAN
= 510psec, the inline
TSOH
of lMbps,
D = 64Bytes,
and
throughput
l?enc
encr~yptor
256 Mbps.
Equation
bandwidth,
session
of 2 Mbps,
(6) and
asssuming
(7) the
maximum
BW > B.PP,
application
is given by:
B~pz
the
(2)
(3)
example:
of 4 Mbps,
64Bytes,
sustain
(3) we obtain:
&_+
following
Bapp, and
(4)
> B.PP
value
for
an inline
wireless
and
TSoH
applications
For given
Bs
the
we obtain:
+ TDOH
1
with
ure 3).
For
DD
—=—
BD
up
the use of inline
If B ~nc ~ Bg~
Using
encryp-
high
for transmission
Given:
come
Ben.:
has to be at least
protocols
the
– —
-t TSOH
– BenC
~
Using
Encryptor
(7)
sion regarding
app
and decryption
communication
tion/decryption
i.e.,
2
as a function
time
we have
the
Security
packet
~~pp we require:
, &J)
head and of the encryption
tination
Zone of Inline
notations.
throughput
We
3.
Journey
application-to-application
the above
the
application
En.vptor
(6)
delay
Figure
Software
network.
. the encryption
journey
Inline
Data Liok
Figure
Figure
A,
nun
‘-”K,
B .. q
Encryptiommpt,on Thro.ghpul(lpi)
highei @,
values
of TSOH,
the required
LAN
=
encryptor
lmsec,
the
of at most
denoted
bandwidth
of 2 Mbps,
inline
encryptor
D
=
can
454 Kbps.
of Bw, B.pp, B..,,
application
with
bandwidth
by TS&ff
bandwidth
and D, the m=imum
that
will
still
is given
provide
by:
emc
1
BD
The
minimal
sustain
tem
the
=
1
, TDOE
Bale= ‘
D
encryption
application
parameters
is given
and
decryption
bandwidth
by
(5)
> B.pp
with
throughput
the
given
(9)
to
Figure
sys-
values
tion
5 show= TS~#
as a function
of Bapp, and D.
Figure
of Bent
for various
0-7803-4902-4/98/$10.00 (c) 1998 IEEE
values
of ~enc for various
4 shows
of TSOH.
B~P&
as a fine.
We observe:
next
step
timedia
is to test
the
encryption
algorithm
in a mul-
testbed.
References
[1]
S.H. Park, A. Ganz, and Z. Ganz, “Security Protocol for
IEEE 802.11 Wireless Local Area Networks,” to appear in
ACM Mobile Net works Journal Sp,ecial Issue on Wireless Local Area
Networks.
[2]
A. Ganz,
D. Awduche,
A.
Phonphoem,
and
J. Euh,
I. Kim,
Z. Ganz,
E. Hasiett,
“Multimedia
S.H. Park,
Wireless
LAN
Third Telecommunication
R(!4D Conference
Massachusetts, Lowell, MA, Nov. 1997.
Prototype?
[3]
A. Aziz and W. Diffie,
less Local
First
[4]
Quarter,
Microsoft,
R.L.
Interface,”
Rivest,
A.
Cryptography
Version
Shamir,
Digital
G .N.
Cohen,
and
Microsoft,
L.M.
Adleman,
Method
Cryptosys-
of the ACM, v. 21, n. 2, Feb. 1978,
Kamenel,
Virginia,
“Windows
Pro-
“A
and Public-Key
and
C.M.
Kubic,
IP-ATM/Tactical-Strategic
96, McLean,
[7]
B.
Application
2.o, 1997.
Signatures
tems,”
Communications
pp. 120-126.
Integrated
for Wke-
Communicationsj
1994, pp. 25-31.
for Obtaining
[6]
and Authentication
IEEE Personal
‘(CryptoAPI:
gramming
[5]
“Privacy
Area Networks,”
in
(let.
“Security
1996, IProceedings,
Sockets
2 Service
pp. 456-460.
Provider
Interface,”
Revision
[8]
2.2.2, Aug. 7, 1997.
Security
Product
J. Banes, “Internet
for
MILCOM
Networks;’
from
ie.07
-.06
0..06
7e. c6
!%.06
5..06
,e+ce
a.m
Enmyp!,o.lDec,ypl,on BanOw,dlh(+s)
2.+08
,..G3
[9]
o
[10]
Flgure5.
Z’S~&
versus B..C
for D = 256Bytes
Microsoft
Intel,
‘(Common
Draft
Release
IEEE
Standard
H. Imai,
increases
spent
for encryption
overhead
●
For
as B.nC
increases.
decreases,
As
the
time
the remaining
Proceedings
ASIACRYPT
time
increases.
increased
decreases
application
since
bandwidth
less time
I?.PP, TS~&
can be spent
on the com-
puter.
IV.
In this
based
paper
inline
encryption
throughput
for
different
software
two
loads.
based
cations,
inline
per packet
data
In cooperation
Wireless
sachusetts
WLANS
We have
computer
To
at
that
use of software
integrated
and
encryption
a number
measured
systems
determine
their
configurate
the
the multimedia
of
appli-
application
size, the time
protocols
ions
suitability
for multimedia
the packet
for communication
the WLAN
the
algorithms
we have considered
request ed bandwidth,
media
investigated
encryptors.
of popular
and
SUMMARY
we have
overhead
processing,
and
rate.
with
LAN
Amherst
surmort
. .
AIM
Engineering
Laboratory
at University
is developing
multimedia
Inc.,
the
Multiof Mas-
a prototype
abdications
. .
802.11
“Information
Systems,”
TS&?f
Data
1.2, Mar.
Version
Security
Unit ,“ Internet
0.7, Nov.
Architecture
Draft
1996.
Specification,”
1997.
for
Wireless
LAN,
IEEE
P802. 11,
1997.
[11]
●
Corporation,
for
.121.
. Our
0-7803-4902-4/98/$10.00 (c) 1998 IEEE
Security
Aspects
of the Advances
’94, 1994, pp. 195-208.
of Spread
in
Spectrum
Cryptography
-