Biblio

IPsec is widely used for internet security because it offers confidentiality, integrity, and authenticity also protects from replay attacks. IP Security depends on numerous frameworks, organization propels, and cryptographic techniques. IPsec is a heavyweight complex security protocol suite. Because of complex architecture and implementation processes, security implementers prefer TLS. Because of complex implementation, it is impractical to manage over the IoT devices. We propose a simplified and lite version of internet security protocol implemented with only ESP. For encryption, we use AES, RAS-RLP public key cryptography.

In network communication domain, one of the most widely used protocol for encrypting data and securing communications is the IPSec protocol. The design of this protocol is based on two main phases which are: exchanging keys phase and transferring data phase. In this paper we focus on enhancing the exchanging keys phase which is included in the security association (SA), using a chaotic cryptosystem. Initially IPSec is based on the Internet Key Exchange (IKE) protocol for establishing the SA. Actually IKE protocol is in charge for negotiating the connection and for authenticating both nodes. However; using IKE gives rise to a major problem related to security attack such as the Man in the Middle Attack. In this paper, we propose a chaotic cryptosystem solution to generate SA file for the connected nodes of the network. By solving a 4-Dimension chaotic system, a SA file that includes 128-bit keys will be established. The proposed solution is implemented and tested using FPGA boards.

This Innovate Practice Full Paper describes our experience with teaching cybersecurity topics using guided inquiry collaborative learning. The goal is to not only develop the students' in-depth technical knowledge, but also “soft skills” such as communication, attitude, team work, networking, problem-solving and critical thinking. This paper reports our experience with developing and using the Guided Inquiry Collaborative Learning materials on the topics of firewall and IPsec. Pre- and post-surveys were conducted to access the effectiveness of the developed materials and teaching methods in terms of learning outcome, attitudes, learning experience and motivation. Analysis of the survey data shows that students had increased learning outcome, participation in class, and interest with Guided Inquiry Collaborative Learning.

In network communication domain, one of the most widely used protocol for encrypting data and securing communications is the IPSec protocol. The design of this protocol is based on two main phases which are: exchanging keys phase and transferring data phase. In this paper we focus on enhancing the exchanging keys phase which is included in the security association (SA), using a chaotic cryptosystem. Initially IPSec is based on the Internet Key Exchange (IKE) protocol for establishing the SA. Actually IKE protocol is in charge for negotiating the connection and for authenticating both nodes. However; using IKE gives rise to a major problem related to security attack such as the Man in the Middle Attack. In this paper, we propose a chaotic cryptosystem solution to generate SA file for the connected nodes of the network. By solving a 4-Dimension chaotic system, a SA file that includes 128-bit keys will be established. The proposed solution is implemented and tested using FPGA boards.

With the continuous development of information technology, our country has achieved great progress and development in Electronic Science and technology. Nowadays mobile embedded systems are gradually coming into people's vision. Mobile embedded system is a brand-new computer technology in the current computer technology. Now it has been widely used in enterprises. Mobile embedded system extends its functions mainly by combining the access capability of the Internet. Nowadays, embedded system network is widely welcomed by people. But for the embedded system network, there are also a variety of network attacks. Therefore, in the research process of this paper, we mainly start with the way of embedded network security and network attack, and then carry out the countermeasures to improve the network security of embedded system, which is to provide a good reference for improving the security and stability of embedded system.

As the technology reliance increases, computer networks are getting bigger and larger and so are threats and attacks. Therefore Network security becomes a major concern during this last decade. Network Security requires a combination of hardware devices and software applications. Namely, Firewalls and IPsec gateways are two technologies that provide network security protection and repose on security policies which are maintained to ensure traffic control and network safety. Nevertheless, security policy misconfigurations and inconsistency between the policy's rules produce errors and conflicts, which are often very hard to detect and consequently cause security holes and compromise the entire system functionality. In This paper, we review the related approaches which have been proposed for security policy management along with surveying the literature for conflicts detection and resolution techniques. This work highlights the advantages and limitations of the proposed solutions for security policy verification in IPsec and Firewalls and gives an overall comparison and classification of the existing approaches.

Nowadays, The incorporation of different function of the network, as well as routing, administration, and security, is basic to the effective operation of a mobile circumstantial network these days, in MANET thought researchers manages the problems of QoS and security severally. Currently, each the aspects of security and QoS influence negatively on the general performance of the network once thought-about in isolation. In fact, it will influence the exceptionally operating of QoS and security algorithms and should influence the important and essential services needed within the MANET. Our paper outlines 2 accomplishments via; the accomplishment of security and accomplishment of quality. The direction towards achieving these accomplishments is to style and implement a protocol to suite answer for policy-based network administration, and methodologies for key administration and causing of IPsec in a very MANET.

This computer era leads human to interact with computers and networks but there is no such solution to get rid of security problems. Securities threats misleads internet, we are sometimes losing our hope and reliability with many server based access. Even though many more crypto algorithms are coming for integrity and authentic data in computer access still there is a non reliable threat penetrates inconsistent vulnerabilities in networks. These vulnerable sites are taking control over the user's computer and doing harmful actions without user's privileges. Though Firewalls and protocols may support our browsers via setting certain rules, still our system couldn't support for data reliability and confidentiality. Since these problems are based on network access, lets we consider TCP/IP parameters as a dataset for analysis. By doing preprocess of TCP/IP packets we can build sovereign model on data set and clump cluster. Further the data set gets classified into regular traffic pattern and anonymous pattern using KNN classification algorithm. Based on obtained pattern for normal and threats data sets, security devices and system will set rules and guidelines to learn by it to take needed stroke. This paper analysis the computer to learn security actions from the given data sets which already exist in the previous happens.

We survey elliptic curve implementations from several vantage points. We perform internet-wide scans for TLS on a large number of ports, as well as SSH and IPsec to measure elliptic curve support and implementation behaviors, and collect passive measurements of client curve support for TLS. We also perform active measurements to estimate server vulnerability to known attacks against elliptic curve implementations, including support for weak curves, invalid curve attacks, and curve twist attacks. We estimate that 1.53% of HTTPS hosts, 0.04% of SSH hosts, and 4.04% of IKEv2 hosts that support elliptic curves do not perform curve validity checks as specified in elliptic curve standards. We describe how such vulnerabilities could be used to construct an elliptic curve parameter downgrade attack called CurveSwap for TLS, and observe that there do not appear to be combinations of weak behaviors we examined enabling a feasible CurveSwap attack in the wild. We also analyze source code for elliptic curve implementations, and find that a number of libraries fail to perform point validation for JSON Web Encryption, and find a flaw in the Java and NSS multiplication algorithms.

An approach to creating secure virtual private networks for the Named Data Networking (NDN) protocol suite is described. It encrypts and encapsulates NDN packets from higher security domains and places them as the payload in unencrypted NDN packets, much as IPsec encapsulates encrypted IP datagrams in unencrypted IP datagrams. We then leverage the well-known properties of the IP-in-IP approach, taken by IPsec in tunnel mode, to understand the strengths and weaknesses of the proposed NDN-in-NDN approach.

Accelerated Processing Unit (APU) is a heterogeneous multicore processor that contains general-purpose CPU cores and a GPU in a single chip. It also supports Heterogeneous System Architecture (HSA) that provides coherent physically-shared memory between the CPU and the GPU. In this paper, we present the design and implementation of a high-performance IPsec gateway using a low-cost commodity embedded APU. The HSA supported by the APUs eliminates the data copy overhead between the CPU and the GPU, which is unavoidable in the previous discrete GPU approaches. The gateway is implemented in OpenCL to exploit the GPU and uses zero-copy packet I/O APIs in DPDK. The IPsec gateway handles the real-world network traffic where each packet has a different workload. The proposed packet scheduling algorithm significantly improves GPU utilization for such traffic. It works not only for APUs but also for discrete GPUs. With three CPU cores and one GPU in the APU, the IPsec gateway achieves a throughput of 10.36 Gbps with an average latency of 2.79 ms to perform AES-CBC+HMAC-SHA1 for incoming packets of 1024 bytes.

For efficient deployment of sensor nodes required in many logistic applications, it's necessary to build security mechanisms for a secure wireless communication. End-to-end security plays a crucial role for the communication in these networks. This provides the confidentiality, the authentication and mostly the prevention from many attacks at high level. In this paper, we propose a lightweight key exchange protocol WSKE (Wireless Sensor Key Exchange) for IP-based wireless sensor networks. This protocol proposes techniques that allows to adapt IKEv2 (Internet Key Exchange version 2) mechanisms of IPSEC/6LoWPAN networks. In order to check these security properties, we have used a formal verification tools called AVISPA.
 

We consider the setting of HTTP traffic over encrypted tunnels, as used to conceal the identity of websites visited by a user. It is well known that traffic analysis (TA) attacks can accurately identify the website a user visits despite the use of encryption, and previous work has looked at specific attack/countermeasure pairings. We provide the first comprehensive analysis of general-purpose TA countermeasures. We show that nine known countermeasures are vulnerable to simple attacks that exploit coarse features of traffic (e.g., total time and bandwidth). The considered countermeasures include ones like those standardized by TLS, SSH, and IPsec, and even more complex ones like the traffic morphing scheme of Wright et al. As just one of our results, we show that despite the use of traffic morphing, one can use only total upstream and downstream bandwidth to identify – with 98% accuracy - which of two websites was visited. One implication of what we find is that, in the context of website identification, it is unlikely that bandwidth-efficient, general-purpose TA countermeasures can ever provide the type of security targeted in prior work.