140 likes | 244 Views
Securing Information Transmission by Redundancy. Jun Li Peter Reiher Gerald Popek Computer Science Department UCLA NISS Conference October 21, 1999. Outline. Interruption threats are hard to counter Redundant transmission makes interruptions harder
E N D
Securing Information Transmission by Redundancy Jun Li Peter Reiher Gerald Popek Computer Science Department UCLA NISS Conference October 21, 1999
Outline • Interruption threats are hard to counter • Redundant transmission makes interruptions harder • But redundant transmission is not as easy as using redundancy in other areas • Sample uses • Conclusion
Interruption Threats Destination Source An interruption attack occurs Result? No data flows to the destination
Problem • Many kinds of interruption threats • Corrupted routers drop packets • Transmitting over packets on shared media • Congesting links or routers • Conventional approaches won’t help • Encrypted/signed message can still be interrupted • Acknowledgement won’t help either • The acknowledgement itself is subject to interruption • Retransmission means possibly failing again • So?
receiver Using Redundancy To Counter Interruptions • Don’t use a single path • Any point on the single path is a point of failure • Use redundancy to secure transmission • Only parallel redundancy considered here • A node is expected to receive multiple copies of one message • Successful if at least one copy is authentically received • Redundancy has been widely used in other areas • High availability storage • Replicated execution • And many others
How does redundant deliver help? What if a router is corrupted? A Simple Example Source Normal delivery uses a default path The redundant copy gets through despite a bad router Destination
sender receiver But . . . • Redundant transmission is tough • Discovering disjoint paths is difficult • Routing is transparent to applications • Using disjoint paths is difficult • They may not exist at all • Can try to be as disjoint as possible nevertheless • An attacker has to find a choke point or break multiple points • Scale can also cause big problems • And what about costs of sending multiple copies?
Sample Uses of Redundancy • Revere • Secure delivery of security updates • General purpose redundant packet delivery service • Redundancy for every network user?
Revere • Goal: disseminate security updates to large number of machines • Assume a trusted dissemination center • Security updates • Small size but critical information • Examples: • New virus signature • New intrusion detection signature • CRL (certificate revocation lists) • Offending characteristics for a firewall to monitor
Revere Structure • Acks/Nacks inappropriate • Scaling, lack of complete trust, etc. • Use redundancy to send multiple copies to each node • Each node can also forward security updates to others • A node can contact multiple repository nodes for missed updates
General Redundant Packet Delivery Services • How could we add a redundant packet delivery service to the Internet? • What would be the best method of achieving redundancy? • Know a lot about the network? • Or rely on randomness and obscurity? • What are the costs of doing so? • How could it be easily deployable? • Proxy-based solutions?
Conclusion • Conventional security approaches and transmission primitives don’t adequately counter interruption threats • Redundancy is a promising tool • But effective use of redundancy is challenging • Are there other problems that redundancy can solve? • Does redundancy itself lead to new security threats?
Questions • Contact information • Peter Reiher: reiher@cs.ucla.edu • Jun Li: lijun@cs.ucla.edu • Gerald Popek: popek@cs.ucla.edu