Derrick Kong

TinyPK: securing sensor networks with public key technology

Wireless networks of miniaturized, low-power sensor/actuator devices are poised to become widely used in commercial and military environments. The communication security problems for these networks are exacerbated by the limited power and energy of the sensor devices. In this paper, we describe the design and implementation of public-key-(PK)-based protocols that allow authentication and key agreement between a sensor network and a third party as well as between two sensor networks. Our work is novel in that PK technology was commonly believed to be too inefficient for use on low-power devices. As part of our solution, we exploit the efficiency of public operations in the RSA cryptosystem and design protocols that place the computationally expensive operations on the parties external to the sensor network, when possible. Our protocols have been implemented on UC Berkeley MICA2 motes using the TinyOS development environment.

A secure content network in space

We present a content network architecture for a cluster of satellites flying in low Earth orbit. The cluster uses a dynamic wireless network to interconnect the satellites and has an intermittent link to the ground. Even though a cluster of satellites fly in formation, their relative positions can vary widely, and occasionally the cluster can disperse and regroup in order to avoid obstacles or to affect a better arrangement. The network, therefore, is a MANET with elements of a disruption tolerant network. Further, data security is a fundamental concern. Our approach is to layer a content network over the wireless network, supporting multiple qualities of service and multiple independent levels of security.

An architecture for scalable network defense

We describe a novel architecture for network defense designed for scaling to very high data rates (100 Gb/s) and very large user populations. Scaling requires both efficient attack detection algorithms as well as appropriate an execution environment. Our architecture considers the time budget of traffic data extraction and algorithmic processing, provides a suite of detection algorithms”each designed to present different and complementary views of the data—that generate many “traffic events,” and reduces false positives by correlating these traffic events into benign or malicious hypotheses.

Realizing a virtual private network using named data networking

An approach to creating secure virtual private networks for the Named Data Networking (NDN) protocol suite is described. It encrypts and encapsulates NDN packets from higher security domains and places them as the payload in unencrypted NDN packets, much as IPsec encapsulates encrypted IP datagrams in unencrypted IP datagrams. We then leverage the well-known properties of the IP-in-IP approach, taken by IPsec in tunnel mode, to understand the strengths and weaknesses of the proposed NDN-in-NDN approach.