Jaehoon Nah

Efficient 3G/WLAN interworking techniques for seamless roaming services with location-aware authentication

This paper proposes novel concepts and architectures for location-aware seamless authentication and roaming in the new interworking system between third-generation (3G) mobile networks and wireless local area networks (WLANs) where local mobility movements (micro-mobility) are handled together with global movements (macro-mobility). We introduce location as a key context in secure roaming mechanism for context-aware interworking. The fast secure roaming with location-aware authentication is implemented at an entity called LBS Broker that utilizes the concepts of direction of user and pre-warming zone. We present the interworking techniques with LBS Broker for seamless secure WLAN/3G integration enabling to meet the requirements of the future location-aware service scenarios. Performance evaluation is also presented to demonstrate the effectiveness of the proposed scheme for fast location-aware secure roaming.

Public Key Management Framework for Two-tier Super Peer Architecture

Many Internet applications use public key infrastructure (PKI) to enable the secure transaction of confidential messages. However, the use of PKI is not consistent with the ideas of peer-to-peer networks. In this paper, we propose public key management framework to distribute public key safely without PKI infrastructure for two-tier super peer architecture. In this framework, each peer self-generates and distributes public/private key pairs. In general case, this kind of mechanism is vulnerable to man-in-the- middle attack during the public key distribution process. But the proposed mechanism can easily avoid this kind of attack.

Random visitor: a defense against identity attacks in P2P overlay networks

The characteristics of cooperative and trustworthy interaction in peer-to-peer overlay network are seriously challenged by the open nature of the network. The impact is particularly large when the identifiers of resource and peer are not verified because the whole network can be compromised by such attacks as sybil or eclipse. In this paper, we present an identifier authentication mechanism called random visitor, which is a third party who is serving as a delegate of an identity proof. Design rationale and framework details are presented. Discussion about the strength and cost of the proposed scheme is also presented.

The Secure Routing Mechanism for DHT-based Overlay Network

For routing and lookup efficiency, DHT-based overlay network has been developed. The representative DHT-based overlay networks are Kad, Chord, Pastry and CAN. And Several applications such as file sharing, distributed storage system have been developed on the DHT-baed overlay network. But there exist several security attacks on the DHT-based overlay network: Peer ID attack, Attacks on message routing, Rapid join/leave attack, DoS attack and so on. In this paper, we propose secure routing mechanism against message routing attacks for DHT-based overlay network. The proposed mechanism ensures that when a normal peer sends a lookup messages using a key, the messages delivered to the peer which is owner of the key with very high probability.

A Cooperation Network Model for Secure Management in Dynamic P2P Flow

This paper discusses how to identify Peer-to-Peer (P2P) traffic using a blind technique without observing individual payload in the proposed cooperation network model. Traditionally, the payload inspection based traffic identification methodologies have been studied and developed for static internet traffic generated by well-known network applications such as http, ftp, telnet, smtp, etc. However, this approach is inadequate any more to detect and control newly emerging applications using P2P-like or P2P-based communication protocol. Also it strongly depends on the central intrusion detection system or firewall because signature as the prior-knowledge is normally built on that kind of systems. That fact derives three issues: performance overhead, central point of failure, and abnormality handling of traffic. Therefore, we propose the distributed detector strategy using tight cooperation between flow agent and secure gateway for indentifying the dynamic P2P traffic, even encrypted.

The group security association for secure multicasting

The growth and commercialization of the group-oriented applications on the Internet has triggered a demand for security solutions for group communications. One such solution, secure multicast, is provided because it is available for the efficiency of multicast data delivery. This paper proposes a method of advertising a group security association for secure group communication and defines extensions of SAP (session announcement protocol) and SDP (session description protocol) for the framework. It provides descriptions for group security associations (GSA) for the support of secure multicasting in IP multicast.

Protecting IPTV Service Network against Malicious Rendezvous Point

In this paper, we present security mechanism to protect IPTV service network from malicious Rendezvous Point. The IPTV service network considered in this paper is overlay network that is constructed in application layer. The overlay-based IPTV service network has several advantages such as cost-effectiveness, dynamicity and scalability. However, there are several security threats against overlay network such as malicious rendezvous point attack, routing interference attack, DoS(Denial of Service) attack and so on. In this paper we analyze the security threats of overlay-based IPTV service network, and we present the brief security guidelines against it. And we present detailed security mechanisms to protect IPTV service network from malicious Rendezvous Point. For this, we design the security mechanism to guarantee trust of rendezvous point and distribute security keys such as self-generated public key of each node and group key of rendezvous point safely manner. This approach is very simple, lightweight and implementation friendly.

Random Visitor: Defense against Identity Attacks in P2P Networks

Various advantages of cooperative peer-to-peer networks are strongly counterbalanced by the open nature of a distributed, serverless network. In such networks, it is relatively easy for an attacker to launch various attacks such as misrouting, corrupting, or dropping messages as a result of a successful identifier forgery. The impact of an identifier forgery is particularly severe because the whole network can be compromised by attacks such as Sybil or Eclipse. In this paper, we present an identifier authentication mechanism called random visitor, which uses one or more randomly selected peers as delegates of identity proof. Our scheme uses identity-based cryptography and identity ownership proof mechanisms collectively to create multiple, cryptographically protected indirect bindings between two peers, instantly when needed, through the delegates. Because of these bindings, an attacker cannot achieve an identifier forgery related attack against interacting peers without breaking the bindings. Therefore, our mechanism limits the possibility of identifier forgery attacks efficiently by disabling an attackers ability to break the binding. The design rationale and framework details are presented. A security analysis shows that our scheme is strong enough against identifier related attacks and that the strength increases if there are many peers (more than several thousand) in the network.

A Cost-Optimized Redundancy Scheme of Group Peer in P2P Grid

Several aspects of todays grids are still based on centralized or hierarchical services. However, as grid sizes increase from tens to thousands of hosts, fault tolerance is becoming a key issue. In this paper, we propose a cost-optimized reliability using redundancy scheme in redundant group peers based P2P grid. Proposed finding optimum redundancy minimizes system cost and guarantees reliability which satisfies requirements of application under the dynamic behaviors in P2P grid environments

The remote access to IPsec-VPN gateway over mobile IPv6

Mobile IPv6 is thought to be dominant protocol for providing mobility. In the near future, most portable communication devices will deploy mobile IPv6 mechanism. Our main concerns are that such mobile devices are going to access to their corporate network such as VPN. In this paper, we propose the efficient communication for IPsec-VPN access of mobile nodes. Our proposal is that mobile nodes use the IKEv2 CP to transfer BU. We think that our simple BU should be able to be done in IKEv2 initial exchange as well as in IKEv2 informational exchange. It is because BU can be occurred at any time before initial IPsec setup is not completed. Thus, we intend to use IKEv2 CP instead of IKEv2 notify payload (N). We consider two cases. One is the case that home agent exists in VPN domain and the other is the case that home agent is away from VPN domain. In both cases, our proposal reduces the total signals to access to VPN. Nevertheless, the security is not compromised