We propose an efficient identity-based authenticated-key exchange (IB-AKE) protocol that is equipped with scalable key revocation. Our protocol builds upon the most efficient identity-based Diffie-Hellman key exchange...
详细信息
ISBN:
(纸本)9783031444685;9783031444692
We propose an efficient identity-based authenticated-key exchange (IB-AKE) protocol that is equipped with scalable key revocation. Our protocol builds upon the most efficient identity-based Diffie-Hellman key exchange (without revocation mechanisms) presented by Fiore and Gennaro at CT-RSA 2010, which can be constructed from pairing-free groups. The key revocation is essential for IB-AKE protocols in long-term practical operation. Our key revocation mechanism allows the key exchange protocol to remain comparable to the original Fiore-Gennaro identity-based key exchange, unlike other revocable schemes that require major (inefficient) modifications to their original IB-AKE protocols. Moreover, our revocation mechanism is scalable, in the sense that its computational cost is logarithmic, rather than linear, to the number of users. We provide a security proof in the identity-based extended Canetti-Krawczyk security model that is further extended in order to incorporate key revocation. The security of our scheme reduces to the well-established strong Diffie-Hellman assumption. For this proof, we devise a multi-forking lemma, an extended version of the general forking lemma.
The vulnerabilities existing in network protocol implementations are difficult to detect. The main reason is that the state space of complex protocol binary software is too large to explore. This paper proposes a nove...
详细信息
ISBN:
(纸本)9781509048403
The vulnerabilities existing in network protocol implementations are difficult to detect. The main reason is that the state space of complex protocol binary software is too large to explore. This paper proposes a novel approach that leverages selective symbolic execution to test network protocol binary software directly, which confines symbolic execution in the secure-sensitive area. This paper also builds a prototype system, S2Eprotocol, upon the Selective Symbolic Execution (S2E) platform and uses it to test several real network protocol binary software. The evaluation results show that the proposed method can be used to find vulnerabilities efficiently and effectively.
A parser's job is to take unstructured, opaque data and convert it to a structured, semantically meaningful format. As such, parsers often operate at the border between untrusted data sources (e.g., the Internet) ...
详细信息
ISBN:
(纸本)9781479951031
A parser's job is to take unstructured, opaque data and convert it to a structured, semantically meaningful format. As such, parsers often operate at the border between untrusted data sources (e.g., the Internet) and the soft, chewy center of computer systems, where performance and security are paramount. A firewall, for instance, is precisely a trust-creating parser for Internet protocols, permitting valid packets to pass through and dropping or actively rejecting malformed packets. Despite the prevalence of finite state machines (FSMs) in both protocol specifications and protocol implementations, they have gained little traction in parser code for such protocols. Typical reasons for avoiding the FSM computation model claim poor performance, poor scalability, poor expressibility, and difficult or time-consuming programming. In this research report, we present our motivations for and designs of finite state machines to parse a variety of existing Internet protocols, both binary and ASCII. Our hand-written parsers explicitly optimize around L1 cache hit latency, branch misprediction penalty, and program-wide memory overhead to achieve aggressive performance and scalability targets. Our work demonstrates that such parsers are, contrary to popular belief, sufficiently expressive for meaningful protocols, sufficiently performant for high-throughput applications, and sufficiently simple to construct and maintain. We hope that, in light of other research demonstrating the security benefits of such parsers over more complex, Turing-complete codes, our work serves as evidence that certain "practical" reasons for avoiding FSM-based parsers are invalid.
The performance of timer algorithms is crucial to many network protocol implementations that use timers for failure recovery and rate control, Conventional algorithms to implement an Operating System timer module take...
详细信息
The performance of timer algorithms is crucial to many network protocol implementations that use timers for failure recovery and rate control, Conventional algorithms to implement an Operating System timer module take O(n) time to start or maintain a timer, where n is the number of outstanding timers: this is expensive for large n,;his paper shows that by using a circular buffer or timing wheel, it takes O(1) time to start, stop, and maintain timers within the range of the wheel, Two extensions for larger values of the interval are described. In the first, the timer interval is hashed into a slot on the timing wheel, In the second, a hierarchy of timing wheels with different granularities is used to span a greater range of intervals, The performance of these two schemes and various implementation tradeoffs are discussed. We have used one of our schemes to replace the current BSD UNIX callout and timer facilities, Our new implementation can support thousands of outstanding timers without much overhead. Our timer schemes have also been implemented in other operating systems and network protocol packages.
We took a public domain implementation of the TCP/IP protocol stack and ported into user space. The user space implementation was then optimized by a one-to-one mapping of transport connections onto ATM connections an...
详细信息
We took a public domain implementation of the TCP/IP protocol stack and ported into user space. The user space implementation was then optimized by a one-to-one mapping of transport connections onto ATM connections and a packet filter. We describe the user space implementation and compare its latency and throughput performance with the existing kernel implementation.
This paper discusses semi-automatic implementation of communication protocols in the Reference Model of the International Organization for Standardization (ISO) for Open Systems Interconnection (OSI). The semi-automat...
详细信息
This paper discusses semi-automatic implementation of communication protocols in the Reference Model of the International Organization for Standardization (ISO) for Open Systems Interconnection (OSI). The semi-automatic code generation techniques produce high-level language code (C, Pascal, etc.) from formal descriptions or protocol specifications. A survey is given of different approaches to semi-automatic code generation. As an example, we present a protocol in the ISO protocol specification technique Estelle. We show the code generated by the Estelle Development System (EDS) and sample output from the generated implementation.
暂无评论