SlideShare a Scribd company logo

secure_mobile.ppt

Download as PPT, PDF
Sameer Ali
Sameer Ali

This document discusses security challenges in mobile networks and proposes solutions for fault-tolerant authentication. It introduces two schemes: 1) a virtual home agent scheme that uses a master home agent and backup home agents to provide uninterrupted service when failures occur. 2) A hierarchical authentication scheme that organizes home agents in a tree structure and assigns keys based on priority to select an alternative agent. It also discusses using clusters of front-end and back-end servers to scale authentication in a distributed manner. Future work involves quantifying priority factors and simulating the proposed approaches.

Internet
1 of 62
1 SECURITY IN MOBILE NETWORKS Bharat Bhargava CERIAS and Computer Sciences Departments Purdue University, W. Lafayette, IN 47907 bb@cs.purdue.edu Supported by CERIAS & NSF grants CCR-0001788 and CCR-9901712.
2 Mobile Computing Environment • Vulnerable to failures, intrusion, and eavesdropping. • Adhoc mobile systems has everything moving (hosts, base-stations, routers/agents, subnets, intranet). • Need survivability from intentional and unintentional attacks.
3 Research Ideas • Integrate ideas from Science and Engineering of security and fault-tolerance. Examples: • Need to provide access to information during failures  need to disallow access for unauthorized users. – Duplicate routers & functions, duplicate authentication functions, duplicate secrete session key database, secure database that provides public keys. – Auditing, logging, check-pointing, monitoring, intrusion detection, denial of service. • Adaptability: – Adapt to timing, duration, severity, type of attack. • Election Protocols – selection of back-up base station.
4 Deficiency in Mobile IPAuthentication • Authentication is through a home agent (HA). – If HA is out of service, mobile host will be homeless and not be able to communicate.
5 Deficiency in Mobile IP Key Management • Data packets are encrypted before sending, and decrypted after receiving. • Requires exchange of secret keys and public keys between sender and receiver. • Mobile IP does not provide multi-cast session key management. Manual distribution implies N(N–1)/2 pairs of keys. Does not scale well.
6 Research Questions • Difficulty in initial authentication. – How quickly a public key can be established without any prior knowledge between communicating parties? • Maintaining authentication. – The session key and its life-time have to be made available to all other base stations in case MH moves across cells. Further complicates the problem of key distribution. Note session key information is not completely replicated in the database of base stations. • Hierarchical authentication of mobile base stations. – Mobile base stations must authenticate one another. Need another centralized certificate authority. Both MH and base stations must trust the same security hierarchy.
7 • Key agility – Difficult to come up with a measure for how long the key can be retained. • Adaptive intrusion defection systems – Detect possible break-ins of base station and fire wall reconfigurations.
8 Fault Tolerant Authentication in Mobile Computing Bharat Bhargava Sarat Babu Kamisetty Sanjay Kumar Madria CERIAS and Computer Sciences Department Purdue University, W. Lafayette, IN 47907 bb@cs.purdue.edu
9 Objective • To provide uninterrupted secure service to the mobile hosts when base station moves or fails.
10 Research Focus • Fault-tolerant Authentication • Group Key Management • Adaptable, Re-configurable Software • Experiments
11 Mobile IP Entities • Mobile Host (MH) – which can change its point of attachment to the internet from one link to another. • Home Agent (HA) – router on MH’s home network which tunnels datagrams (packets of data) to MH when it is away from home. • Foreign Agent (FA) – router on MH’s visited network which provides routing services to the MH while registered.
12 Hardware Characteristics • Media – Wireless media are inherently less secure. • Low power and limited computing resource – motivation for making security an optional feature. • Bandwidth – typically orders of magnitude less than wired bandwidth (motivation for reducing the overhead of the security scheme).
13 System Characteristics • Autonomy – WAN, base stations and mobile hosts are governed by different entities. • Network Partitions – Authentication requires communication with the home agent, which could be across the globe. • Clock Synchronization – mobile hosts may travel across multiple time zones.
14 Application Characteristics • Location Privacy – protecting the identity of the communicating entities (ex: Military Networks) • Mobility – implies frequent upon handoffs • Secure Multicast – one transmitter and many listeners (ex: Classrooms)
15 Fundamental Security Services • Authentication – Provides assurance of a host’s identity. – Provides a means to counter masquerade and replay attacks. – Can be applied to several aspects of multicast (ex: registration process).
16 Fundamental Security Services • Integrity – Provides assurance that traffic is not altered during the transmission. – Lack of integrity services in IP can lead to spoofing attacks. – More crucial for applications involving key management than voice applications (easily detected).
17 Fundamental Security Services • Confidentiality – Provides assurance that only authorized entities can decode and read the data. – Typically, encryption is used to achieve this. – Encryption can be applied at several layers of the protocol stack (ex: inherent in RTP, ESP for IP datagrams).
18 Fundamental Security Services • Other Services • Non-repudiation – recipient can prove that sender did sent the message in case sender denies it. • Access Control – ensures that only authorized parties can access the resources.
19 Problem Description • To ensure security and theft of resources (like bandwidth), all the packets originating inside the network should be authenticated. • Typically, a Mobile Host sends a packet to its Home Agent along with the authentication information.
20 Problem Description (continued) • If the Authentication is successful, Home Agent forwards the packet. Otherwise, packet is dropped. Internet Authentication and Forwarding Services Mobile Node Home Agent
21 Disadvantages of Typical Setup • Home Agent becomes a single point of failure. • Home agent becomes an attractive spot for attackers. • Not scalable – large number of hosts overload the Home agent.
22 Research Goals • Eliminate the single point of failure. • Distribute the load and enhance scalability and survivability of the system. • Failures – transparent to applications. • Easy to implement, no manual setup.
23 Traditional Approaches • Using a Proxy Server (or Backup) that takes up the responsibilities of the Base Station Disadvantages • Manual updating of the routing tables of the hosts necessary. • Time consuming and hence smooth provision of service is not possible.
24 Traditional Approaches (continued) • Using a Second Base Station that forwards the packets to the actual Home Agent, using Mobile IP, which is now at a Foreign Network. Disadvantages • Communication Delays introduced makes this solution impractical. • Introduces additional security threats as the packets now traverse long paths through Internet.
25 Proxy-Based Solution Source Network Destination Network BS1 Arbitrary Network Arbitrary Network Foreign Network BS
26 Disadvantages • Introduces additional security threats. • Additional communication delays. • Not transparent to applications. • Manual set up – error prone.
27 Proposed Schemes • We propose two schemes to solve the problem. – Virtual Home Agent – Hierarchical Authentication • They differ in the architecture and the responsibilities that the Mobile Hosts and Base Stations (Agents) hold.
28 Authentication Using Virtual Home Agent Entities in the proposed scheme • Virtual Home Agent (VHA) is an abstract entity identified by a network address. • Master Home Agent (MHA) is the physical entity that carries out the responsibilities of the VHA.
29 Authentication Using Virtual Home Agent • Backup Home Agent (BHA) is the entity that backs up a VHA. When MHA fails, BHA having the highest priority becomes MHA. • Shared Secrets Database Server is the entity that manages and processes the queries on the secret database.
30 Virtual Home Agent Scheme VHA ID = IPADDRI Master Home Agent (MHA) Database Server Shared Secrets Database Backup Home Agents Other hosts in the network
31 Protocol Description • All the MHAs and BHAs join a pre- configured multicast group. • MHA and each BHA is assigned a priority that indicates its preference to become a MHA, when the current MHA fails. • MHA has the highest priority at any given point of time
32 Protocol Description • Periodically, MHA sends an advertisement packet to the configured multicast group. • Purpose of this advertisement packet is to let the BHAs know that MHA is still alive. • Time-to-live is set to 1 in each advertisement as they never have to be transmitted outside the network.
33 Protocol Description • Advertisement Packet Format • VHA’s ID indicates the VHA that this Agent is the Master for. • MHA’s priority is the priority of this MHA. • Authentication Information is necessary to void the masquerading attacks (I.e., anybody posing as a Master after comprising it). VHA’s ID MHA’s priority Authentication Information
34 Protocol Description • BHAs only listen for advertisements, they do not send the advertisements. • If a BHA did not receive any advertisements for some period, it starts the Down Interval Timer, computed as follows: Down Time Interval = 5*Advertisement Interval + ((MHA’s priority-BHA’s priority)/MHA’s priority)
35 Protocol Description • Down Interval Time takes care of packet losses (as it is at least 5 advertisement intervals). • Down Interval Time is a function of BHA’s configured priority (if the priority is more, Down Interval Time is less).
36 Protocol Description • It is guaranteed that the Down Interval Timer of the BHA having the highest priority will expire first and that BHA transitions from BHA to MHA. • This new MHA sends advertisements from now onwards.
37 Protocol Description Advantages of this Election Protocol • No communication between the BHAs is required. • There is no confusion about which BHA becomes MHA (only the one whose timer expires first). • No additional security threats (like manipulating priorities of BHAs).
38 Protocol Description Backup State Start State Master State State Transitions
39 Advantages of the Proposed Scheme • Has only 3 states and hence the overhead of state maintenance is negligible. • Very few tasks need to be performed in each state (outlined in the tech report). • Flexible – there could be multiple VHAs in the same LAN and a MHA could be a BHA for another VHA, a BHA could be a BHA for more than one VHA at the same time.
40 Disadvantages of Virtual HA Solution • Not scalable if every packet has to be authenticated – Ex: huge audio or video data • BHA (Backup Home Agents) are idle most of the time (they just listen to MHA’s advertisements. • Central Database is still a single point of failure.
41 Hierarchical Authentication Scheme • Multiple Home Agents in a LAN are organized in a hierarchy (like a tree data structure). • A Mobile Host shares a key with each of the Agents above it in the tree (Multiple Keys). • At any time, highest priority key is used for sending packets or obtaining any other kind of service.
42 Hierarchical Authentication Scheme A C B G F E D K2 K1 (K1, P1) (K2, P2) Database Database
43 Tree-Based Scheme 7 1 2 3 4 5 6 10 11 12 13 14 15 16 9 8 Key A Key B Key C Key D Key E Key F Key G Key H Key I Key J Key K Key L Key M Key N Key O
44 Hierarchical Authentication Scheme Key Priority depends on several factors and computed as cumulative sum of weighted priorities of each factors: Example Factors: • Communication Delays • Processing Speed of the Agents • Key Usage • Life Time of the Key
45 Hierarchical Authentication Scheme • Hosts detect the Home Agent’s failure or mobility when the Home Agent does not send an acknowledgement for a request. • When the failure is detected, host reduces the priority of the current key and picks up the highest priority key to be used from now onwards.
46 VHA Scheme • Flat structure • Host has only one key • Failure is transparent to the user Hierarchical Scheme • Tree structure • Number of keys depend on height of the tree. • Hosts should be aware of the failure of BS as which key to be used depends on the base station serving it. • No Priority is assigned to the keys • Each key has priority, the key with the highest priority is used for authentication.
47 Clusters to Achieve Scalable Fault Tolerant Authentication • Front-End is the MHA. • Back-Ends are BHAs. • Each packet is digitally signed by the Mobile Host. • Packets are forwarded to the MHA. • Back-Ends verify the signatures.
48 Scalability Using Clusters • Cluster – A group of servers. – Act as a single node (i.e., identified by a single IP address). – Gives the effect of parallel processor with a large main memory and secondary storage. – Largely scalable and efficient. – Deployed in service provider networks.
49 Cluster Architecture • Client contacts the Front-End for a service. • Front-End forwards the requests to a Back- End. • Back-Ends serve/process the request.
50 Front-End’s Responsibilities • Acts as a Request dispatcher or redirector. • Does load balancing based on various factors. • Keeps track of which Back-Ends are active.
51 Cluster for Scalability Requests Clients Front-End Back-End Request Distribution
52 Locality-Aware Request Distribution R1,R1,R1,R2,R3,R2,R1,R1,R2,R3 Front-End Node Back-End Node R1,R1,R1,R1,R1 Cache Cache R1 R1, R3
53 Back-End Forwarding Front-End Back-End Node Forwarded Request
54 Request Redirection Front-End Back-End Front-End 1. Request 2. Redirect to Back-End 3. Redirected Request
55 Disadvantages of Redirection • Introduces additional delays. • Identities (i.e., addresses) of the Back-ends are exposed and thus poses a security risk. • Poses an additional burden on clients or they might not handle redirects.
56 Request Distribution • Content Based Distribution – Front-End takes into account the service requested to decide which Back-End is good (Ex: audio, video, text, etc.). – Increased performance. – Gives the flexibility of having different types of Back-End servers for different contents (Ex: audio, servers, video servers).
57 Request Distribution • Load Based Distribution – Front-End does load balancing. – Front-End distributes the requests based on the current load of the Back-Ends. – Back-Ends report about their load periodically. – Front-End prefers minimally loaded Back-End. – Useful when all the Back-Ends server similar requests (like only audio, only text).
58 Request Distribution • Locality Aware Distribution – Front-End keeps a mapping of the Back-Ends and their cache contents. – When a request arrives, it maps the request to the cache contents. – Request if forwarded to that Back-End whose cache contents match the request. • Useful for retrieving HTTP documents.
59 Conclusions and Future Work • Flat-model and tree based schemes for fault- tolerant authentication in mobile environment. • Cluster based enhancement.
60 Future Work • Quantifying the priorities for each factor and computing the overall key priority as a weighted function of all these factors. • Designing a adaptable database replication and partitioning scheme for secret key database that increases the system performance. • Simulation of these approaches and obtaining performance statistics.
61 Experimental Evaluation • Conducting experiments using ns2 to: – study the performance of the proposed schemes – assess their reliability – devise suitable values for the parameters: • VHA: priority, ad interval, … • Hierarchical: priority, #of levels, tree structure, …. • Both: key distribution, key size, re-keying, replicating secret DB, ...
62 Experiments setup • Different mobile environments by varying: • number of mobile hosts, number of home agents • number of groups/sub networks • mobility models • frequency of authentication requests • failure probability and movement behavior of home agents (base stations) • authentication scheme with different parameters • Evaluate: • comm. overhead of each scheme • response time in case of failure • best parameters’ values of each scheme

Recommended

ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
ParasPatel967737
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
KalsoomTahir2
 
shivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjfshivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjf
sahushivam4928
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
ParvezAhmed59842
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
ssuser530a07
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdf
Dr. Shivashankar
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfCSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
ssuser1f1964
 

Recommended

ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
ParasPatel967737
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
KalsoomTahir2
 
shivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjfshivam sahu (firewall).pdfb jndvhjfvhjjf
shivam sahu (firewall).pdfb jndvhjfvhjjf
sahushivam4928
 
ML13198A410.pdf
ML13198A410.pdfML13198A410.pdf
ML13198A410.pdf
ParvezAhmed59842
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
ssuser530a07
 
Network Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdfNetwork Security_Dr Shivashankar_Module 5.pdf
Network Security_Dr Shivashankar_Module 5.pdf
Dr. Shivashankar
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdfCSC437-Fall2013-Module-7-Firewalls-IDS.pdf
CSC437-Fall2013-Module-7-Firewalls-IDS.pdf
ssuser1f1964
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
PROIDEA
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Security Issues in MANET
Security Issues in MANETSecurity Issues in MANET
Security Issues in MANET
Nitin Verma
 
Ch1 Cryptography network security slides.pptx
Ch1 Cryptography network security slides.pptxCh1 Cryptography network security slides.pptx
Ch1 Cryptography network security slides.pptx
salutiontechnology
 
Security of ad hoc networks
Security of ad hoc networksSecurity of ad hoc networks
Security of ad hoc networks
Jayesh Rane
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdf
AschalewAyele2
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
Divya Jyoti
 
Lessson 3
Lessson 3Lessson 3
Lessson 3
MLG College of Learning, Inc
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
From the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's PrimerFrom the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's Primer
Rick G. Garibay
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
Anne Starr
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Damien Magoni
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
Online
 
Unit 2.design mobile computing architecture
Unit 2.design mobile computing architectureUnit 2.design mobile computing architecture
Unit 2.design mobile computing architecture
Swapnali Pawar
 
Firewall
FirewallFirewall
Firewall
Ydel Capales
 
lecture 7.pptx
lecture 7.pptxlecture 7.pptx
lecture 7.pptx
MelkamuEndale1
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptx
vamshimatangi
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
vtunotesbysree
 
555_Spring12CryptoCryptoCrypto_topic23.ppt
555_Spring12CryptoCryptoCrypto_topic23.ppt555_Spring12CryptoCryptoCrypto_topic23.ppt
555_Spring12CryptoCryptoCrypto_topic23.ppt
Sameer Ali
 
Lecture 1 - Introduction to Course & Course outline.pptx
Lecture 1 - Introduction to Course & Course outline.pptxLecture 1 - Introduction to Course & Course outline.pptx
Lecture 1 - Introduction to Course & Course outline.pptx
Sameer Ali
 

More Related Content

Similar to secure_mobile.ppt

Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
PROIDEA
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
Shaurya Gogia
 
Security Issues in MANET
Security Issues in MANETSecurity Issues in MANET
Security Issues in MANET
Nitin Verma
 
Ch1 Cryptography network security slides.pptx
Ch1 Cryptography network security slides.pptxCh1 Cryptography network security slides.pptx
Ch1 Cryptography network security slides.pptx
salutiontechnology
 
Security of ad hoc networks
Security of ad hoc networksSecurity of ad hoc networks
Security of ad hoc networks
Jayesh Rane
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdf
AschalewAyele2
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
Divya Jyoti
 
Lessson 3
Lessson 3Lessson 3
Lessson 3
MLG College of Learning, Inc
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
From the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's PrimerFrom the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's Primer
Rick G. Garibay
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
Anne Starr
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
Ben Rothke
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Damien Magoni
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
Online
 
Unit 2.design mobile computing architecture
Unit 2.design mobile computing architectureUnit 2.design mobile computing architecture
Unit 2.design mobile computing architecture
Swapnali Pawar
 
Firewall
FirewallFirewall
Firewall
Ydel Capales
 
lecture 7.pptx
lecture 7.pptxlecture 7.pptx
lecture 7.pptx
MelkamuEndale1
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptx
vamshimatangi
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
vtunotesbysree
 

Similar to secure_mobile.ppt (20)

Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
 
DDOS ATTACKS
DDOS ATTACKSDDOS ATTACKS
DDOS ATTACKS
 
Security Issues in MANET
Security Issues in MANETSecurity Issues in MANET
Security Issues in MANET
 
Ch1 Cryptography network security slides.pptx
Ch1 Cryptography network security slides.pptxCh1 Cryptography network security slides.pptx
Ch1 Cryptography network security slides.pptx
 
Security of ad hoc networks
Security of ad hoc networksSecurity of ad hoc networks
Security of ad hoc networks
 
Chapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdfChapter_Five Compueter secuityryhf S.pdf
Chapter_Five Compueter secuityryhf S.pdf
 
Introduction to firewalls
Introduction to firewallsIntroduction to firewalls
Introduction to firewalls
 
Lessson 3
Lessson 3Lessson 3
Lessson 3
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
From the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's PrimerFrom the Internet of Things to Intelligent Systems: A Developer's Primer
From the Internet of Things to Intelligent Systems: A Developer's Primer
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 
Unit 2.design mobile computing architecture
Unit 2.design mobile computing architectureUnit 2.design mobile computing architecture
Unit 2.design mobile computing architecture
 
Firewall
FirewallFirewall
Firewall
 
lecture 7.pptx
lecture 7.pptxlecture 7.pptx
lecture 7.pptx
 
Ethical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptxEthical Hacking justvamshi .pptx
Ethical Hacking justvamshi .pptx
 
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERSVTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
VTU 8TH SEM INFORMATION AND NETWORK SECURITY SOLVED PAPERS
 

More from Sameer Ali

555_Spring12CryptoCryptoCrypto_topic23.ppt
555_Spring12CryptoCryptoCrypto_topic23.ppt555_Spring12CryptoCryptoCrypto_topic23.ppt
555_Spring12CryptoCryptoCrypto_topic23.ppt
Sameer Ali
 
Lecture 1 - Introduction to Course & Course outline.pptx
Lecture 1 - Introduction to Course & Course outline.pptxLecture 1 - Introduction to Course & Course outline.pptx
Lecture 1 - Introduction to Course & Course outline.pptx
Sameer Ali
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
Sameer Ali
 
Intro (1).ppt
Intro (1).pptIntro (1).ppt
Intro (1).ppt
Sameer Ali
 
CDP_2(1).pptx
CDP_2(1).pptxCDP_2(1).pptx
CDP_2(1).pptx
Sameer Ali
 
hel1 (1).ppt
hel1 (1).ppthel1 (1).ppt
hel1 (1).ppt
Sameer Ali
 
F14_Class1.pptx
F14_Class1.pptxF14_Class1.pptx
F14_Class1.pptx
Sameer Ali
 
bruce-sdn.pptx
bruce-sdn.pptxbruce-sdn.pptx
bruce-sdn.pptx
Sameer Ali
 
SINDH SALES TAX ON SERVICES ACT 2011.pdf
SINDH SALES TAX ON SERVICES ACT 2011.pdfSINDH SALES TAX ON SERVICES ACT 2011.pdf
SINDH SALES TAX ON SERVICES ACT 2011.pdf
Sameer Ali
 

More from Sameer Ali (9)

555_Spring12CryptoCryptoCrypto_topic23.ppt
555_Spring12CryptoCryptoCrypto_topic23.ppt555_Spring12CryptoCryptoCrypto_topic23.ppt
555_Spring12CryptoCryptoCrypto_topic23.ppt
 
Lecture 1 - Introduction to Course & Course outline.pptx
Lecture 1 - Introduction to Course & Course outline.pptxLecture 1 - Introduction to Course & Course outline.pptx
Lecture 1 - Introduction to Course & Course outline.pptx
 
cloud-complete.ppt
cloud-complete.pptcloud-complete.ppt
cloud-complete.ppt
 
Intro (1).ppt
Intro (1).pptIntro (1).ppt
Intro (1).ppt
 
CDP_2(1).pptx
CDP_2(1).pptxCDP_2(1).pptx
CDP_2(1).pptx
 
hel1 (1).ppt
hel1 (1).ppthel1 (1).ppt
hel1 (1).ppt
 
F14_Class1.pptx
F14_Class1.pptxF14_Class1.pptx
F14_Class1.pptx
 
bruce-sdn.pptx
bruce-sdn.pptxbruce-sdn.pptx
bruce-sdn.pptx
 
SINDH SALES TAX ON SERVICES ACT 2011.pdf
SINDH SALES TAX ON SERVICES ACT 2011.pdfSINDH SALES TAX ON SERVICES ACT 2011.pdf
SINDH SALES TAX ON SERVICES ACT 2011.pdf
 

Recently uploaded

办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
APNIC
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
APNIC
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
thezot
 

Recently uploaded (12)

办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...Securing BGP: Operational Strategies and Best Practices for Network Defenders...
Securing BGP: Operational Strategies and Best Practices for Network Defenders...
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...
 
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
一比一原版新西兰林肯大学毕业证(Lincoln毕业证书)学历如何办理
 

secure_mobile.ppt

  • 1. 1 SECURITY IN MOBILE NETWORKS Bharat Bhargava CERIAS and Computer Sciences Departments Purdue University, W. Lafayette, IN 47907 bb@cs.purdue.edu Supported by CERIAS & NSF grants CCR-0001788 and CCR-9901712.
  • 2. 2 Mobile Computing Environment • Vulnerable to failures, intrusion, and eavesdropping. • Adhoc mobile systems has everything moving (hosts, base-stations, routers/agents, subnets, intranet). • Need survivability from intentional and unintentional attacks.
  • 3. 3 Research Ideas • Integrate ideas from Science and Engineering of security and fault-tolerance. Examples: • Need to provide access to information during failures  need to disallow access for unauthorized users. – Duplicate routers & functions, duplicate authentication functions, duplicate secrete session key database, secure database that provides public keys. – Auditing, logging, check-pointing, monitoring, intrusion detection, denial of service. • Adaptability: – Adapt to timing, duration, severity, type of attack. • Election Protocols – selection of back-up base station.
  • 4. 4 Deficiency in Mobile IPAuthentication • Authentication is through a home agent (HA). – If HA is out of service, mobile host will be homeless and not be able to communicate.
  • 5. 5 Deficiency in Mobile IP Key Management • Data packets are encrypted before sending, and decrypted after receiving. • Requires exchange of secret keys and public keys between sender and receiver. • Mobile IP does not provide multi-cast session key management. Manual distribution implies N(N–1)/2 pairs of keys. Does not scale well.
  • 6. 6 Research Questions • Difficulty in initial authentication. – How quickly a public key can be established without any prior knowledge between communicating parties? • Maintaining authentication. – The session key and its life-time have to be made available to all other base stations in case MH moves across cells. Further complicates the problem of key distribution. Note session key information is not completely replicated in the database of base stations. • Hierarchical authentication of mobile base stations. – Mobile base stations must authenticate one another. Need another centralized certificate authority. Both MH and base stations must trust the same security hierarchy.
  • 7. 7 • Key agility – Difficult to come up with a measure for how long the key can be retained. • Adaptive intrusion defection systems – Detect possible break-ins of base station and fire wall reconfigurations.
  • 8. 8 Fault Tolerant Authentication in Mobile Computing Bharat Bhargava Sarat Babu Kamisetty Sanjay Kumar Madria CERIAS and Computer Sciences Department Purdue University, W. Lafayette, IN 47907 bb@cs.purdue.edu
  • 9. 9 Objective • To provide uninterrupted secure service to the mobile hosts when base station moves or fails.
  • 10. 10 Research Focus • Fault-tolerant Authentication • Group Key Management • Adaptable, Re-configurable Software • Experiments
  • 11. 11 Mobile IP Entities • Mobile Host (MH) – which can change its point of attachment to the internet from one link to another. • Home Agent (HA) – router on MH’s home network which tunnels datagrams (packets of data) to MH when it is away from home. • Foreign Agent (FA) – router on MH’s visited network which provides routing services to the MH while registered.
  • 12. 12 Hardware Characteristics • Media – Wireless media are inherently less secure. • Low power and limited computing resource – motivation for making security an optional feature. • Bandwidth – typically orders of magnitude less than wired bandwidth (motivation for reducing the overhead of the security scheme).
  • 13. 13 System Characteristics • Autonomy – WAN, base stations and mobile hosts are governed by different entities. • Network Partitions – Authentication requires communication with the home agent, which could be across the globe. • Clock Synchronization – mobile hosts may travel across multiple time zones.
  • 14. 14 Application Characteristics • Location Privacy – protecting the identity of the communicating entities (ex: Military Networks) • Mobility – implies frequent upon handoffs • Secure Multicast – one transmitter and many listeners (ex: Classrooms)
  • 15. 15 Fundamental Security Services • Authentication – Provides assurance of a host’s identity. – Provides a means to counter masquerade and replay attacks. – Can be applied to several aspects of multicast (ex: registration process).
  • 16. 16 Fundamental Security Services • Integrity – Provides assurance that traffic is not altered during the transmission. – Lack of integrity services in IP can lead to spoofing attacks. – More crucial for applications involving key management than voice applications (easily detected).
  • 17. 17 Fundamental Security Services • Confidentiality – Provides assurance that only authorized entities can decode and read the data. – Typically, encryption is used to achieve this. – Encryption can be applied at several layers of the protocol stack (ex: inherent in RTP, ESP for IP datagrams).
  • 18. 18 Fundamental Security Services • Other Services • Non-repudiation – recipient can prove that sender did sent the message in case sender denies it. • Access Control – ensures that only authorized parties can access the resources.
  • 19. 19 Problem Description • To ensure security and theft of resources (like bandwidth), all the packets originating inside the network should be authenticated. • Typically, a Mobile Host sends a packet to its Home Agent along with the authentication information.
  • 20. 20 Problem Description (continued) • If the Authentication is successful, Home Agent forwards the packet. Otherwise, packet is dropped. Internet Authentication and Forwarding Services Mobile Node Home Agent
  • 21. 21 Disadvantages of Typical Setup • Home Agent becomes a single point of failure. • Home agent becomes an attractive spot for attackers. • Not scalable – large number of hosts overload the Home agent.
  • 22. 22 Research Goals • Eliminate the single point of failure. • Distribute the load and enhance scalability and survivability of the system. • Failures – transparent to applications. • Easy to implement, no manual setup.
  • 23. 23 Traditional Approaches • Using a Proxy Server (or Backup) that takes up the responsibilities of the Base Station Disadvantages • Manual updating of the routing tables of the hosts necessary. • Time consuming and hence smooth provision of service is not possible.
  • 24. 24 Traditional Approaches (continued) • Using a Second Base Station that forwards the packets to the actual Home Agent, using Mobile IP, which is now at a Foreign Network. Disadvantages • Communication Delays introduced makes this solution impractical. • Introduces additional security threats as the packets now traverse long paths through Internet.
  • 25. 25 Proxy-Based Solution Source Network Destination Network BS1 Arbitrary Network Arbitrary Network Foreign Network BS
  • 26. 26 Disadvantages • Introduces additional security threats. • Additional communication delays. • Not transparent to applications. • Manual set up – error prone.
  • 27. 27 Proposed Schemes • We propose two schemes to solve the problem. – Virtual Home Agent – Hierarchical Authentication • They differ in the architecture and the responsibilities that the Mobile Hosts and Base Stations (Agents) hold.
  • 28. 28 Authentication Using Virtual Home Agent Entities in the proposed scheme • Virtual Home Agent (VHA) is an abstract entity identified by a network address. • Master Home Agent (MHA) is the physical entity that carries out the responsibilities of the VHA.
  • 29. 29 Authentication Using Virtual Home Agent • Backup Home Agent (BHA) is the entity that backs up a VHA. When MHA fails, BHA having the highest priority becomes MHA. • Shared Secrets Database Server is the entity that manages and processes the queries on the secret database.
  • 30. 30 Virtual Home Agent Scheme VHA ID = IPADDRI Master Home Agent (MHA) Database Server Shared Secrets Database Backup Home Agents Other hosts in the network
  • 31. 31 Protocol Description • All the MHAs and BHAs join a pre- configured multicast group. • MHA and each BHA is assigned a priority that indicates its preference to become a MHA, when the current MHA fails. • MHA has the highest priority at any given point of time
  • 32. 32 Protocol Description • Periodically, MHA sends an advertisement packet to the configured multicast group. • Purpose of this advertisement packet is to let the BHAs know that MHA is still alive. • Time-to-live is set to 1 in each advertisement as they never have to be transmitted outside the network.
  • 33. 33 Protocol Description • Advertisement Packet Format • VHA’s ID indicates the VHA that this Agent is the Master for. • MHA’s priority is the priority of this MHA. • Authentication Information is necessary to void the masquerading attacks (I.e., anybody posing as a Master after comprising it). VHA’s ID MHA’s priority Authentication Information
  • 34. 34 Protocol Description • BHAs only listen for advertisements, they do not send the advertisements. • If a BHA did not receive any advertisements for some period, it starts the Down Interval Timer, computed as follows: Down Time Interval = 5*Advertisement Interval + ((MHA’s priority-BHA’s priority)/MHA’s priority)
  • 35. 35 Protocol Description • Down Interval Time takes care of packet losses (as it is at least 5 advertisement intervals). • Down Interval Time is a function of BHA’s configured priority (if the priority is more, Down Interval Time is less).
  • 36. 36 Protocol Description • It is guaranteed that the Down Interval Timer of the BHA having the highest priority will expire first and that BHA transitions from BHA to MHA. • This new MHA sends advertisements from now onwards.
  • 37. 37 Protocol Description Advantages of this Election Protocol • No communication between the BHAs is required. • There is no confusion about which BHA becomes MHA (only the one whose timer expires first). • No additional security threats (like manipulating priorities of BHAs).
  • 38. 38 Protocol Description Backup State Start State Master State State Transitions
  • 39. 39 Advantages of the Proposed Scheme • Has only 3 states and hence the overhead of state maintenance is negligible. • Very few tasks need to be performed in each state (outlined in the tech report). • Flexible – there could be multiple VHAs in the same LAN and a MHA could be a BHA for another VHA, a BHA could be a BHA for more than one VHA at the same time.
  • 40. 40 Disadvantages of Virtual HA Solution • Not scalable if every packet has to be authenticated – Ex: huge audio or video data • BHA (Backup Home Agents) are idle most of the time (they just listen to MHA’s advertisements. • Central Database is still a single point of failure.
  • 41. 41 Hierarchical Authentication Scheme • Multiple Home Agents in a LAN are organized in a hierarchy (like a tree data structure). • A Mobile Host shares a key with each of the Agents above it in the tree (Multiple Keys). • At any time, highest priority key is used for sending packets or obtaining any other kind of service.
  • 43. 43 Tree-Based Scheme 7 1 2 3 4 5 6 10 11 12 13 14 15 16 9 8 Key A Key B Key C Key D Key E Key F Key G Key H Key I Key J Key K Key L Key M Key N Key O
  • 44. 44 Hierarchical Authentication Scheme Key Priority depends on several factors and computed as cumulative sum of weighted priorities of each factors: Example Factors: • Communication Delays • Processing Speed of the Agents • Key Usage • Life Time of the Key
  • 45. 45 Hierarchical Authentication Scheme • Hosts detect the Home Agent’s failure or mobility when the Home Agent does not send an acknowledgement for a request. • When the failure is detected, host reduces the priority of the current key and picks up the highest priority key to be used from now onwards.
  • 46. 46 VHA Scheme • Flat structure • Host has only one key • Failure is transparent to the user Hierarchical Scheme • Tree structure • Number of keys depend on height of the tree. • Hosts should be aware of the failure of BS as which key to be used depends on the base station serving it. • No Priority is assigned to the keys • Each key has priority, the key with the highest priority is used for authentication.
  • 47. 47 Clusters to Achieve Scalable Fault Tolerant Authentication • Front-End is the MHA. • Back-Ends are BHAs. • Each packet is digitally signed by the Mobile Host. • Packets are forwarded to the MHA. • Back-Ends verify the signatures.
  • 48. 48 Scalability Using Clusters • Cluster – A group of servers. – Act as a single node (i.e., identified by a single IP address). – Gives the effect of parallel processor with a large main memory and secondary storage. – Largely scalable and efficient. – Deployed in service provider networks.
  • 49. 49 Cluster Architecture • Client contacts the Front-End for a service. • Front-End forwards the requests to a Back- End. • Back-Ends serve/process the request.
  • 50. 50 Front-End’s Responsibilities • Acts as a Request dispatcher or redirector. • Does load balancing based on various factors. • Keeps track of which Back-Ends are active.
  • 52. 52 Locality-Aware Request Distribution R1,R1,R1,R2,R3,R2,R1,R1,R2,R3 Front-End Node Back-End Node R1,R1,R1,R1,R1 Cache Cache R1 R1, R3
  • 54. 54 Request Redirection Front-End Back-End Front-End 1. Request 2. Redirect to Back-End 3. Redirected Request
  • 55. 55 Disadvantages of Redirection • Introduces additional delays. • Identities (i.e., addresses) of the Back-ends are exposed and thus poses a security risk. • Poses an additional burden on clients or they might not handle redirects.
  • 56. 56 Request Distribution • Content Based Distribution – Front-End takes into account the service requested to decide which Back-End is good (Ex: audio, video, text, etc.). – Increased performance. – Gives the flexibility of having different types of Back-End servers for different contents (Ex: audio, servers, video servers).
  • 57. 57 Request Distribution • Load Based Distribution – Front-End does load balancing. – Front-End distributes the requests based on the current load of the Back-Ends. – Back-Ends report about their load periodically. – Front-End prefers minimally loaded Back-End. – Useful when all the Back-Ends server similar requests (like only audio, only text).
  • 58. 58 Request Distribution • Locality Aware Distribution – Front-End keeps a mapping of the Back-Ends and their cache contents. – When a request arrives, it maps the request to the cache contents. – Request if forwarded to that Back-End whose cache contents match the request. • Useful for retrieving HTTP documents.
  • 59. 59 Conclusions and Future Work • Flat-model and tree based schemes for fault- tolerant authentication in mobile environment. • Cluster based enhancement.
  • 60. 60 Future Work • Quantifying the priorities for each factor and computing the overall key priority as a weighted function of all these factors. • Designing a adaptable database replication and partitioning scheme for secret key database that increases the system performance. • Simulation of these approaches and obtaining performance statistics.
  • 61. 61 Experimental Evaluation • Conducting experiments using ns2 to: – study the performance of the proposed schemes – assess their reliability – devise suitable values for the parameters: • VHA: priority, ad interval, … • Hierarchical: priority, #of levels, tree structure, …. • Both: key distribution, key size, re-keying, replicating secret DB, ...
  • 62. 62 Experiments setup • Different mobile environments by varying: • number of mobile hosts, number of home agents • number of groups/sub networks • mobility models • frequency of authentication requests • failure probability and movement behavior of home agents (base stations) • authentication scheme with different parameters • Evaluate: • comm. overhead of each scheme • response time in case of failure • best parameters’ values of each scheme