Edward L. Witzke

Context-agile encryption for high speed communication networks

Different applications have different security requirements for data privacy, data integrity, and authentication. Encryption is one technique that addresses these requirements. Encryption hardware, designed for use in high-speed communications networks, can satisfy a wide variety of security requirements if the hardware implementation is key-agile, key length-agile, mode-agile, and algorithm-agile. Hence, context-agile encryption provides enhanced solutions to the secrecy, interoperability, and quality of service issues in high-speed networks. Moreover, having a single context-agile encryptor at an ATM aggregation point (such as a firewall) reduces hardware and administrative costs. While single-algorithm, key-agile encryptors exist, encryptors that are agile in a cryptographic robustness sense, are still research topics.

A DES ASIC Suitable for Network Encryption at 10 Gbps and Beyond

The Sandia National Laboratories (SNL) Data Encryption Standard (DES) Application Specific Integrated Circuit (ASIC) is the fastest known implementation of the DES algorithm as defined in the Federal Information Processing Standards (FIPS) Publication 46-2. DES is used for protecting data by cryptographic means. The SNL DES ASIC, over 10 times faster than other currently available DES chips, is a high-speed, fully pipelined implementation offering encryption, decryption, unique key input, or algorithm bypassing on each clock cycle. Operating beyond 105 MHz on 64 bit words, this device is capable of data throughputs greater than 6.7 Billion bits per second (tester limited). Simulations predict proper operation up to 9.28 Billion bits per second. In low frequency, low data rate applications, the ASIC consumes less that one milliwatt of power. The device has features for passing control signals synchronized to throughput data. Three SNL DES ASICs may be easily cascaded to provide the much greater security of triple-key, triple-DES.

Findings on the suitability of 802.11 for highly mobile broadband networks

As the world becomes increasingly dependent on dynamic and up-to-the-moment information, we recognize that broadband networks must be able to convey this information timely and wirelessly, to and from users in motion. Varieties of 802.11 compliant equipment and other types of broadband wireless equipment have been proposed for, and in some areas, being used to meet this need. There have been questions about the suitability of 802.11-based equipment for broadband networks that have to operate at vehicular speeds. Prior literature in the field has illustrated some of the problems, but is generally short on specific results from testing. At our facility, we have a wireless networking testbed that includes 802.11-based equipment, as well as equipment supporting other protocols. We conducted mobile connectivity and throughput experiments at different rates of speed to examine how 802.11-based equipment performs in the mobile broadband wireless network role. We also conducted the same experiments using Motorolas Mesh-Enabled Architecture. This paper presents those results. After summarizing the previous work by others in this area, we describe the layout of the wireless testbed, the structure of the experiments and how the experiments were conducted. Next, we present and analyze the results of the experiments, and finally offer our conclusions.

Intrusion detection considerations for switched networks

Many private and public networks are based on network switching technologies. However, switched networks present a number of challenges to intrusion detection equipment. These challenges include limited visibility of network flows at the edges of the network, high-speed packet processing, and highly-aggregated flows in the core. In addition, switched networks typically implement protocols specific for Layer 2 functions, such as connection establishment and connection routing, which can be attacked to deny service to higher layer protocols and applications. Since these attacks cannot be detected by Internet Protocol intrusion detection equipment. Layer 2 intrusion detection is required. This paper describes an approach for performing intrusion monitoring in switched, Layer 2 networks, specifically, Asynchronous Transfer Mode networks.

On the use of trusted objects to enforce isolation between processes and data

This paper highlights the problem of run-time execution correctness of high-consequence applications in conventional Von Neumann computer architectures. It proposes an approach, trusted objects, in which the application program and data are cryptographically encapsulated in their own environment. The remainder of the paper is organized as follows: after presenting a description of trusted objects, their creation, and their execution, their potential applications are described. Finally, issues and problems requiring further research are discussed.

Asynchronous transfer mode (ATM) intrusion detection

ATM networks are the foundation for a number of public and private networks and their correct operation is critical to the availability of higher layer protocols (such as IP) and applications. However, ATM uses a number of protocols for connection establishment and routing and if these protocols are not functioning correctly (e.g., due to misconfiguration, component failure or active attack), denial of service may result. Since ATM protocol irregularities occur below IP, they are not detectable by the IP intrusion detection systems that are prevalent in todays networks. This paper describes an implementation of an intrusion detection system that detects ATM protocol attacks. This system uses a centralized assessment engine to collect network event notifications from a distributed set of sensors. These sensors monitor ATM protocol activity and send the filtered events to the assessment engine. The assessment engine compares the incoming event traffic against a set of attack templates and, if a match is encountered, it (optionally) activates a set of responses. In addition, this paper describes results that have been obtained from the proof-of-concept implementation, along with initial experience with its use in operational networks. Future research directions that address other unique challenges presented by ATM intrusion detection and response are also described.

A novel scaleable architecture for intrusion detection and mitigation in switched networks

High-speed, switched networks present scalability challenges to a network intrusion detection system, both in terms of the volume of data that must be analyzed, and the extent to which sensors must be inserted into the switched network to achieve comprehensive visibility. An architecture that uses a single point for intrusion assessment would quickly become overwhelmed with incoming event data from intrusion sensors that are deployed on even a moderate number of high-speed links. This is particularly true if an earnest attack (generating many events in a short period of time) is underway. The authors propose a novel architecture that hierarchically distributes the assessment function into two assessment categories - tactical assessment, and strategic assessment. The tactical assessment function provides low-level event correlation and decision making for a small sub-network (e.g., a department LAN, an ATM switch peer group, etc.), and is capable of providing fast, real-time response when millisecond response times are required due to network attacks. The strategic assessment function, on the other hand, implements high-level event correlation, which is useful when a larger view of the network is required (e.g., for low intensity or distributed attacks). The tactical assessment engines interface to the strategic assessment engine by, filtering and summarizing low-level events, ensuring that the strategic assessment engines workload remains manageable. This paper describes the distributed intrusion assessment architecture in more detail, presents a few application scenarios that benefit from hierarchical attack assessment, and summarizes ongoing work in developing prototype components for this architecture.

The role of decimated sequences in scaling encryption speeds through parallelism

End-to-end encryption can protect proprietary information as it passes from one end of a complex computer network to another, through untrusted intermediate systems. Encryption performance, in terms of bits per second encrypted, has not scaled well, as network performance has increased. The authors felt that multiple encryption modules, operating in parallel would be the cornerstone of scalable encryption. One of the major problems with parallelizing encryption is ensuring that each encryption module is getting the proper portion of the key sequence at the correct point in the encryption or decryption of the message. Many encryption schemes use linear recurring sequences, which may be generated by a linear feedback shift register. Instead of using a linear feedback shift register, the authors describe a method to generate the linear recurring sequence by using parallel decimated sequences, one per encryption module. Computing decimated sequences can be time consuming, so the authors have also described a way to compute these sequences with logic gates rather than arithmetic operations.

Tuning computer communications networks and protocols

The objective is to adjust the protocol parameters and network elements to achieve maximum data throughput over a certain circuit or set of circuits (a network path) subject to certain constraints, such as: delay-bandwidth product, error rate, and tuning parameter limits and accessibility. To provide optimal performance from the users perspective, which is application to application, all peer layers of the protocol must be tuned. The key to tuning protocols is reducing idle time on the links caused by various protocol layers waiting for acknowledgements. Experiments have been conducted on test bed systems, and on live satellite and terrestrial circuits. Various aspects of network tuning and certain specific issues relating to the tuning of three protocols (DECnet, TCP/IP, NETEX) over various media types (point-to-point and broadcast) under several different conditions (terrestrial and satellite) are examined. Also described are the lessons learned about protocol and network tuning.<<ETX>>

Encryption in mobile wireless mesh networks

Wireless mesh networks (WMNs) are growing in popularity because of their inherent robustness, versatility, and ease of deployment in situations such as natural or man-made disasters. Another area of potential use for these networks is in physical security systems where they can potentially improve mobile communications, communications with remote locations, temporary communications, and geolocation applications. Since these physical security systems may employ a mobile WMN to transport sensitive or classified information, questions arise as to whether end-to-end encryption would work within a very dynamic WMN. We could not find published data or results concerning this. Therefore, we set out to find whether end-to-end encryption will continue to work through an ever-changing WMN. We examined the behavior of end-to-end encryption when the path through the wireless network changes (that is, when routing is forced through a different intermediate node or nodes) and when traversing a radio frequency (RF) shadow. We especially wished to determine whether a tunnel, as used in software virtual private networks (VPNs) or hardware encryption devices, would survive RF shadow transits and mesh network topology changes. This paper presents an introduction to WMNs, their applicability to physical security systems, our end-to-end encryption experiments, analysis of the results, and our conclusions.