Mohammad Peyravian

Special feature: Two-phase cryptographic key recovery system

A two-phase method of key recovery which will be referred to as Secure Key Recovery (SKR) is presented. The proposed key recovery system permits a portion of the key recovery information to be generated once and then used for multiple encrypted data communications sessions and encrypted file applications. In particular, the portion of the key recovery information that is generated just once is the only portion that requires public key encryption operations. We also describe a verification mode in which the communicating parties each produce SKR recovery information independently, without checking the others so produced information. In this mode, if at least one side is correctly configured, all required recovery information is correctly produced. In addition, the communicating parties are free to include any optional recovery fields without causing a false invalidation of what the other parties sent. Further, we present a method of verification of key recovery information within a key recovery system, based on a variation of the three-party Diffie-Hellman key agreement procedure. Without communication with a trustee, the sender is able to encrypt recovery information in such a way that both the receiver and the respective trustee can decrypt it. This reduces the number of encryptions, and inherently validates the recovery information when the receiver decrypts it. The method allows full caching of all public key operations, thus further reducing computational overhead.

Methods for Protecting Password Transmission

In this paper, we present a secure method for protecting passwords while being transmitted over untrusted networks. We also present a secure method for changing an old password to a new password. The proposed solutions do not require the use of any additional keys (such as symmetric keys or public/private keys) to protect password exchanges. Unlike existing solutions, the proposed schemes do not use any symmetric-key or public-key cryptosystems (such as DES, RC5, RSA, etc.). Our schemes only employ a collision-resistant hash function such as SHA-1.

IBM PowerNP network processor: Hardware, software, and applications

Deep packet processing is migrating to the edges of service provider networks to simplify and speed up core functions. On the other hand, the cores of such networks are migrating to the switching of high-speed traffic aggregates. As a result, more services will have to be performed at the edges, on behalf of both the core and the end users. Associated network equipment will therefore require high flexibility to support evolving high-level services as well as extraordinary performance to deal with the high packet rates. Whereas, in the past, network equipment was based either on general-purpose processors (GPPs) or application-specific integrated circuits (ASICs), favoring flexibility over speed or vice versa, the network processor approach achieves both flexibility and performance. The key advantage of network processors is that hardware-level performance is complemented by flexible software architecture. This paper provides an overview of the IBM PowerNPTM NP4GS3 network processor and how it addresses these issues. Its hardware and software design characteristics and its comprehensive base operating software make it well suited for a wide range of networking applications.

The microarchitecture of the synergistic processor for a cell processor

This paper describes an 11 FO4 streaming data processor in the IBM 90-nm SOI-low-k process. The dual-issue, four-way SIMD processor emphasizes achievable performance per area and power. Software controls most aspects of data movement and instruction flow to improve memory system performance and core performance density. The design minimizes instruction latency while providing for fine grain clock control to reduce power.

Secure remote user access over insecure networks

Remote user authentication based on passwords over untrusted networks is the conventional method of authentication in the Internet and mobile communication environment. Typical secure remote user access solutions rely on pre-established secure cryptographic keys, public-key infrastructure, or secure hardware. In this paper, we present secure password-based protocols for remote user authentication, password change, and session key establishment over insecure networks. The proposed protocols do not require the use of any additional private- or public-key infrastructure.

Decentralized network connection preemption algorithms

Connection preemption provides available and reliable services to high-priority connections when a network is heavily loaded and connection request arrival patterns are unknown, or when the network experiences link or node failures. Coupled with the capability to reroute connections (preempted due to failure or preemption), connection preemption allows a high quality of service to be provided to network connections and bandwidth to be used more efficiently. The main contributions of this paper are the following. It presents a comprehensive simulation study of preemption in a general connection-oriented network setting. Our simulation study also provides useful insights into connection preemption and network dimensioning problems in order to achieve a desired level of network availability. Based on the observations made in this study, we designed two connection preemption selection algorithms that operate in a decentralized/distributed network where individual link managers run the algorithm for connection preemption selection on their outgoing links. The first algorithm optimizes the criteria of (i) the bandwidth to be preempted, (ii) the priority of connections to be preempted, and (iii) the number of connections to be preempted, in that order, and has exponential complexity. The second algorithm optimizes the criteria of (i) the number of connections to be preempted, (ii) the bandwidth to be preempted, and (iii) the priority of connections to be preempted, in that order, and has polynomial complexity. From a comparison study of these two algorithms we conclude that the polynomial algorithm is almost as good as the exponential algorithm in terms of overall network performance.

Connection preemption: issues, algorithms, and a simulation study

Connection preemption can be a means to provide available and reliable services to high-priority connections when a network is heavily loaded and connection request arrival patterns are unknown, or when the network experiences link or node failures. We present a simulation study of preemption in a general connection-oriented network setting. Based on the observations made in this study, we have developed two optimal connection preemption selection algorithms that operate in a decentralized/distributed network where individual link managers run the algorithm for connection preemption selection on their outgoing links. The first algorithm optimizes the criteria of (i) the number of connections to be preempted, (ii) the bandwidth to be preempted, and (iii) the priority of connections to be preempted, in that order, and has polynomial complexity. The second algorithm optimizes the criteria of (i) the bandwidth to be preempted, (ii) the priority of connections to be preempted, and (iii) the number of connections to be preempted, in that order, and has exponential complexity. We conclude that the polynomial algorithm is almost as good as the exponential algorithm in terms of overall network performance.

Network path caching

Caching of network paths in a connection-oriented communication network provides a means to store computed paths for later reuse. We propose that network path caching can provide an efficient way to eliminate, whenever possible, the expensive path computation algorithm that has to be performed in setting up a network connection. This paper is the first known work on network path caching in decentralized connection-oriented networks. It first identifies and analyses the issues that arise in caching network paths. Based on our extensive study of network path caching schemes, we then propose two path caching algorithms to reduce the number of path computations in the network when a new connection is to be established. A simulation study of the two algorithms is then presented. We conclude that both algorithms perform very well and significantly reduce the number of path computations in setting up connections.

Algorithm for efficient generation of link-state updates in ATM networks

Abstract In the routing framework defined by the ATM Forum Private Network Node Interface (P-NNI) working group, each node broadcasts link-state update (LSU) messages (which include information such as available bandwidth, maximum delay, etc.) about the outgoing links attached to it to other nodes in the network. For each connection request, the source node selects an end-to-end route that meets the quality of service (QoS) requirements of the connection based on the most recent information that it has about network links. Up-to-date information about network links is, therefore, key to making “good” routing decisions. The triggering of LSU broadcasts after adding or removing a single connection on any link would certainly enable optimal paths to be calculated but at a potentially significant cost in processing and bandwidth. A periodic update scheme, on the other hand, might be more preferable since it can be used to bound the frequency of updates at the expense of delaying important updates (such as those reporting large changes in link load). The goal of an efficient LSU generating algorithm is, therefore, to provide “accurate” information on link loads while keeping the number of LSUs under control. In this paper, we investigate the issue of when to broadcast LSUs and its effects to the network performance. A simulation model is built to model the basic routing framework developed at the ATM Forum P-NNI working group. Based on the intuition gained by running the simulation model with different schemes and parameters, a hybrid LSU generating algorithm, combining event-driven and periodic update strategies, is proposed to substantially reduce the number of LSUs generated in the network without a significant negative impact on the network performance. The proposed algorithm is not limited to the P-NNI framework and it can be used in networking technologies that are based on the link-state principles.

Decentralized group key management for secure multicast communications

Multicast protocols provide mechanisms for a sender to send a message to multiple receivers simultaneously. When the multicast message is of a sensitive nature, it should be encrypted. This would require that all the members of the multicast group share the same encryption key. In this paper, we present a simple and scaleable method to create and distribute symmetric cryptographic keys amongst a group of communicating network users for multicast communications. The group symmetric keys permit each user to conveniently and securely communicate, share and access data belonging to the multicast group. Unlike current group key-management mechanisms, this scheme does not involve the use of a centralized key distribution center-only the group members generate and distribute group symmetric keys. Once a long-term group key has been established among a group of communicating peers, the scheme provides an easy way for any group member to send secure messages to all other group members without having to send the session key individually to each group member. Moreover, the scheme provides an option for allowing data traffic to be authenticated on a per-sender basis with sender-specific keys.