Securing Information Transmission by Redundancy

advertisement

1

Securing Information Transmission by

Redundancy

Jun Li Peter Reiher Gerald Popek

Computer Science Department

UCLA

NISS Conference

October 21, 1999

2

Outline

• Interruption threats are hard to counter

• Redundant transmission makes interruptions harder

• But redundant transmission is not as easy as using redundancy in other areas

• Sample uses

• Conclusion

Interruption Threats

3

Source Destination

An interruption attack occurs

Result?

No data flows to the destination

4

Problem

• Many kinds of interruption threats

– Corrupted routers drop packets

– Transmitting over packets on shared media

– Congesting links or routers

• Conventional approaches won’t help

– Encrypted/signed message can still be interrupted

• Acknowledgement won’t help either

– The acknowledgement itself is subject to interruption

– Retransmission means possibly failing again

• So?

5

Using Redundancy

To Counter Interruptions

• Don’t use a single path

– Any point on the single path is a point of failure receiver

• Use redundancy to secure transmission

– Only parallel redundancy considered here

• A node is expected to receive multiple copies of one message

• Successful if at least one copy is authentically received

• Redundancy has been widely used in other areas

– High availability storage

– Replicated execution

– And many others

A Simple Example

Source

Normal delivery uses a default path

How does redundant deliver help?

6

What if a router is corrupted?

Destination

The redundant copy gets through despite a bad router

7 sender

But . . .

• Redundant transmission is tough

– Discovering disjoint paths is difficult

• Routing is transparent to applications

– Using disjoint paths is difficult

– They may not exist at all

• Can try to be as disjoint as possible nevertheless

– An attacker has to find a choke point or break multiple points

• Scale can also cause big problems

• And what about costs of sending multiple copies?

receiver

8

Sample Uses of Redundancy

• Revere

– Secure delivery of security updates

• General purpose redundant packet delivery service

– Redundancy for every network user?

9

Revere

- Goal: disseminate security updates to large number of machines

- Assume a trusted dissemination center

- Security updates

- Small size but critical information

- Examples:

- New virus signature

- New intrusion detection signature

- CRL (certificate revocation lists)

- Offending characteristics for a firewall to monitor

10

Revere Structure

- Acks/Nacks inappropriate

- Scaling, lack of complete trust, etc.

- Use redundancy to send multiple copies to each node

- Each node can also forward security updates to others

- A node can contact multiple repository nodes for missed updates

11

General Redundant Packet

Delivery Services

• How could we add a redundant packet delivery service to the Internet?

• What would be the best method of achieving redundancy?

– Know a lot about the network?

– Or rely on randomness and obscurity?

• What are the costs of doing so?

• How could it be easily deployable?

– Proxy-based solutions?

12

Conclusion

- Conventional security approaches and transmission primitives don’t adequately counter interruption threats

- Redundancy is a promising tool

- But effective use of redundancy is challenging

- Are there other problems that redundancy can solve?

- Does redundancy itself lead to new security threats?

13

Questions

- Contact information

- Peter Reiher: reiher@cs.ucla.edu

- Jun Li: lijun@cs.ucla.edu

- Gerald Popek: popek@cs.ucla.edu

Download