Guenter Schaefer

Credential Management for Automatic Identification Solutions in Supply Chain Management

Current systems for automatic identification of goods presume a single administrative domain. However, in supply chain management systems temporary cooperations of multiple companies exist, and the usage of one identification device, such as a radio-frequency identification (RFID) tag, per company is infeasible for reasons of costs, space requirements, traceability, and higher collision rate. This paper analyzes the security requirements resulting from the usage of a single tag for multiple companies and proposes a novel system architecture and accompanying cryptographic protocols that address the security objectives entity authentication, controlled access, data confidentiality and integrity, as well as untraceability of RFID tags. The architecture is designed to provide high availability and graceful degradation in case of compromise of system parts. The results of an implementation and simulation study give insights on appropriate data structures for realizing key functionality, and demonstrate the feasibility with off-the-shelf hardware.

Towards the design of unexploitable construction mechanisms for multiple-tree based P2P streaming systems

In peer-to-peer based live streaming systems, a great number of participants have to cooperate to efficiently and reliably distribute a continuous flow of data. Each receiving peer in return provides its resources to the system. Since these systems operate in a completely distributed manner, it is of particular importance, to prevent malicious members from harvesting important topology information or influencing the streaming system to their needs. In this article, we analyze potential attack methods on multiple-tree-based P2P streaming systems, discuss important design decisions to constrain the impact of malicious behaviour, and we introduce the new concept of peer testaments. By analyzing existing systems, we show that so far only few attention has been given to the design of unexploitable construction mechanisms. Based on the identified design decisions, we propose a novel streaming system and evaluate it by exposing it to different types of internal attackers. Our results show that these attackers have to spend large effort to reach relevant positions in the streaming topology and that their bandwidth contribution far outnumbers the damage they achieve.

Distributed Automatic Configuration of Complex IPsec-Infrastructures

The Internet Protocol Security Architecture IPsec is hard to deploy in large, nested, or dynamic scenarios. The major reason for this is the need for manual configuration of the cryptographic tunnels, which grows quadratically with the total amount of IPsec gateways. This way of configuration is error-prone, cost-intensive and rather static. When private addresses are used in the protected subnetworks, the problem becomes even worse as the routing cannot rely on public infrastructures. In this article, we present a fully automated approach for the distributed configuration of IPsec domains. Utilizing peer-to-peer technology, our approach scales well with respect to the number of managed IPsec gateways, reacts robust to network failures, and supports the configuration of nested networks with private address spaces. We analyze the security requirements and further desirable properties of IPsec policy negotiation, and show that the distribution of security policy configuration does not impair security of transmitted user data in the resulting virtual private network (VPN). Results of a prototype implementation and simulation study reveal that the approach offers good characteristics for example with respect to quick reconfiguration of all gateways after a central power failure (robustness), or after insertion of new gateways (scalability and agility).

A survey on automatic configuration of virtual private networks

Virtual private networks (VPN) offer a secure data exchange over public networks. Despite being cheaper than leased lines, growing sizes and dynamic behavior of VPN nodes, e.g., for mobility or reasons of denial-of-service-attacks, make a manual configuration of large, dynamic VPN expensive. Consequently, a number of different VPN auto-configuration approaches have been invented and partially deployed over the last decade. This article identifies a comprehensive set of objectives to be fulfilled by IP-based VPN auto-configuration, explains and groups mechanisms, and analyzes their strengths and weaknesses with regards to the objectives. Finally, it identifies potential future directions of autonomous VPN deployment.

Towards trustworthy mobile social networking services for disaster response

Situational awareness is crucial for effective disaster management. However, obtaining information about the actual situation is usually difficult and time-consuming. While there has been some effort in terms of incorporating the affected population as a source of information, the issue of obtaining trustworthy information has not yet received much attention. Therefore, we introduce the concept of witness-based report verification, which enables users from the affected population to evaluate reports issued by other users. We present an extensive overview of the objectives to be fulfilled by such a scheme and provide a first approach considering security and privacy. Finally, we evaluate the performance of our approach in a simulation study. Our results highlight synergetic effects of group mobility patterns that are likely in disaster situations.

Bounds for the Security of the Vivaldi Network Coordinate System

Network coordinate systems have gained much attention as they allow for an elegant estimation of distances between nodes in distributed systems. Their most prominent representative is Vivaldi, which is using a mass-spring-damper system to embed peers into a two-dimensional Euclidean coordinate space with an additional height coordinate. In unimpaired overlay networks this simple method leads to a good approximation of pair wise delays. Unfortunately, like most distributed algorithms, Vivaldi is vulnerable to Byzantine failures, leading to possible routing attacks in peer-to-peer systems. Hence, several attack methods and countermeasures have been proposed. In this article, we analyze bounds for protection of Vivaldi network coordinates and show by theory and simulation how triangle inequality violations can be exploited to create instabilities, despite the proposed countermeasures.

Using recurring costs for reputation management in peer-to-peer streaming systems

Due to the dependency on preceding nodes in overlay live streaming systems, only highly reliable nodes should be chosen to occupy vital positions in the overlay topology, serving large numbers of succeeding participants. Otherwise, the highly dynamic and potentially hostile environment with frequent arrivals and departures of participants may lead to high packet loss rates and a significant decrease in quality of service. Hence, a high resilience towards failure of participants and especially deliberate sabotage through malicious parties is a prerequisite for this content distribution scheme to gain acceptance by users and the market. In order to incorporate the reliability of nodes into the topology construction process a stable metric for assessing the reliability of nodes has to be defined that preserves the anonymity of the subscribers and allows coping with their stochastic behavior. In this paper we present eLeumund, an algorithm, which utilizes recurring costs as a means to compute a dependable reputation value representing a node’s reliability for the service. Our scheme maintains the privacy of all participants.

Resilient and underlay-aware P2P live-streaming

Application Layer Multicast (ALM) represents a cost-efficient way to disseminate content in large scale. However, as it relies on end-systems in content distribution, it can be easily attacked and thus requires specific measures to increase its resilience against attacks. Besides attacks on end-users, few attention has been paid to attacks on the underlying transport network so far. When the overlay is not constructed in an underlay-aware manner, several overlay links may rely on the same link or router in the underlay. Hence, a single underlay failure may result in multiple, simultaneous overlay failures. Moreover, without considering the underlying transport network an inefficient content distribution can be the result. For this reason the ALM induced traffic load in transport networks can become rather large. In this article, we propose a construction algorithm for ALM topologies that incorporates information about the underlying network to improve their resilience against underlay failures, to maintain resilience against overlay attacks, and to increase the efficiency of the content distribution. Our simulation results indicate that the underlay dependence of the established ALM overlays can be nearly halved compared to overlays that do not use information about the transport network in their construction. As a result, the ALM induced traffic load in transport networks decreases considerably. In addition, the results indicate that our topologies are likewise resilient to underlay as well as overlay attacks.

On the resistance of overlay networks against bandwidth exhaustion attacks

In order to perform private communication over public networks, such as the Internet, several different kinds of virtual overlay networks emerged. Examples are the well known Virtual Private Networks, Darknets, and anonymizing networks like Tor. All of these networks are designed to provide data delivery that is confidential, authentic and integrity protected. Nonetheless, for a secure operation also the availability must be taken into account, especially as these structures turn into vital targets for Denial-of-Service attacks. Within this article we present metrics to rate different network topologies with regard to their resistance against botnets, whose available attack bandwidth is not a limiting factor. The presented metrics consider random, greedy, and optimally operating attackers, and are used to derive several properties that very resilient overlay topologies must have. In particular a low constant node degree and high girth are identified. The results are validated by a simulation study.

Towards distributed geolocation by employing a delay-based optimization scheme

To support position-dependent services, like matchmaking algorithms for online games or geographic backup routes, the estimation of peer locations became a key requisite for a range of applications, recently. However, exact localization may be impossible, e.g., due to nodes lacking Global Positioning System (GPS) access for reasons of cost, energy, or signal unavailability. Alternative approaches, e.g., by nearby WLAN BSSIDs or IP geolocation, rely on databases and normally contain large outliers, in particular when concerning underrepresented mapping locations. This led us to the study of a complementary idea: By embedding nodes on a sphere and periodically minimizing local positioning errors by delay-based multilateration, we efficiently estimate node positions by distributed means, given a fair amount of position hints. Based on simulations that rely on real-world PlanetLab latency data, we show that global-scope peer locations can be estimated with an accuracy of a few hundred kilometers, where the novel approach outperforms a previously proposed spring-mass-based method by about 50%.