Randomness Test of Cryptographic One-to-many Reversible Mapping for IPv6 Address Generation (original) (raw)
Related papers
One-to-many reversible mapping for IPV6 address generation: Simulation software development
This paper presents the development of a one-to-many reversible mapping mechanism simulation for IPv6 address generation. The aim of this mechanism is to improve IPv6 addresses generation in terms of privacy and security in an enterprise local area network (LAN). Each time a user accesses a network, a dynamic IPv6 address is assigned via the DHCPv6 server. The dynamic address (one-to-many mapping) is to protect a user from unwanted behavior analysis attempting to exploit IPv6 addresses, thus protecting user privacy. However, the dynamic address can be uniquely linked to the user (many-to-one mapping) if the need arises. The one-to-many reversible mapping is generated dynamically using Cipher Feedback (CFB) mode of operation of the Advanced Encryption Standard (AES). Software simulation is developed using the software engineering waterfall model and a Unified Modeling Language (UML) class diagram as a notation. The results show that the mechanism simulates well for IPv6 address generation and IPv6 address owner identification. The one-to-many mapping may be incorporated into DHCPv6 software and many-toone mapping may be implemented as a complement of local area network monitoring software.
Generation of cryptographic one-to-many mapping IPv6 address using S-AES
2010
ABSTRACT The proliferation of enterprise wireless network raises the security concern in any organization despite the unarguable benefits it brings about. At the same time, the initiatives to migrate from IPv4 (Internet Protocol version four) to IPv6 (Internet Protocol version six) is gaining momentum across the globe to resolve the IP address depletion problem as well as reaping the benefit of it. This research proposes a new scheme to manage IPv6 addresses in an enterprise wireless local area network (WLAN) which may be implemented into DHCPv6 (Dynamic Host Configuration Protocol for IPv6) software. Each user will be assigned a group of IP addresses that are generated cryptographically whose parameters as user attributes. Each time user trying to access the network it will be given different IP address which will be generated using S-AES (Simplified Advanced Encryption Standard) algorithm using parameters assigned to that user so that there is a one to many mapping between user and IP addresses. Therefore, the network administrator will be able to identify user realtime from the IPv6 address to facilitate tracking of network anomalies or violation of policies. By the pseudo random IPv6 address generation, we will be able to protect user's privacy even though the communication is transparent end-to-end.
Owner identification is an important aspect of improving network visibility and enhancing network security within local area networks deploying IPv6. This paper presents a simulation study for owner identification in an enterprise local area network from their IPv6 addresses. The study is based around the reverse implementation (many-to-one mapping) of a one-to-many reversible mapping. The paper reviews the many-to-one mechanism and the associated simulation software development, followed by presentation of results obtained from required functional tests. The IPv6 address data can be obtained from the output of any network monitoring software. In addition to a text format for verification, it also uses a checksum for validation which is used during the IPv6 address generation and identification. The simulation software given here can easily identify an IPv6 address owner if the IPv6 address is properly generated by the mechanism and it can display particular verification messages.
IPv6 Cryptographically Generated Address: Analysis, Optimization and Protection
Computers, Materials & Continua
In networking, one major difficulty that nodes suffer from is the need for their addresses to be generated and verified without relying on a third party or public authorized servers. To resolve this issue, the use of selfcertifying addresses have become a highly popular and standardized method, of which Cryptographically Generated Addresses (CGA) is a prime example. CGA was primarily designed to deter the theft of IPv6 addresses by binding the generated address to a public key to prove address ownership. Even though the CGA technique is highly effective, this method is still subject to several vulnerabilities with respect to security, in addition to certain limitations in its performance. In this study, the authors present an intensive systematic review of the literature to explore the technical specifications of CGA, its challenges, and existing proposals to enhance the protocol. Given that CGA generation is a time-consuming process, this limitation has hampered the application of CGA in mobile environments where nodes have limited energy and storage. Fulfilling Hash2 conditions in CGA is the heaviest and most timeconsuming part of SEND. To improve the performance of CGA, we replaced the Secure Hash Algorithm (SHA1) with the Message Digest (MD5) hash function. Furthermore, this study also analyzes the possible methods through which a CGA could be attacked. In conducting this analysis, Denial-of-Service (DoS) attacks were identified as the main method of attack toward the CGA verification process, which compromise and threaten the privacy of CGA. Therefore, we propose some modifications to the CGA standard verification algorithm to mitigate DoS attacks and to make CGA more security conscious.
Design and Implementation of Ipv6 Address Using Cryptographically Generated Address Method
There is always a tradeoff between privacy and the desired level of security for any internet user in the contemporary cyber world. Cyber security, of late, is paramount and its breach could lead to untoward consequences, at times, disastrous. The advent of the IPv6 provides a hope to resolve this tradeoff satisfactorily. Included in the IPV6 suite is a method for devices to automatically configure their own addresses in a secure manner. This technique is called Cryptographically Generated Addresses (CGAs). CGA provides the ownership proof necessary for an IPv6 address without relying on any trust authority. However, the computation involved in CGAs is very high, especially for a high security level defined by the security parameter (Sec). The sheer cost involved here may pose to be an inhibiting factor for any user to continue with this security regime and may tempt her not to change her address on a frequent basis. Thus, the way forward could be to modify the standard CGA to make it more applicable across applications and scenarios and at the same time not to let it compromise with the optimum security level. We propose to reduce the CGA granularity of the security level from 16 to 8, which make it more feasible for use in most applications and scenarios. And the privacy part is taken care of by changing addresses over time which protects users from being tracked. Here, we strive to implement and evaluate these extensions to the standard CGA.
Int. J. Netw. Secur., 2015
A Cryptographically Generated Address (CGA) is a selfcertifying address that a node generates when it joins a foreign network. Despite its advantages, generating a CGA is computationally expensive. This study examines the security and performance issues related to the use of the CGA Generation algorithm. It also scrutinizes the hash extension mechanism, dierent hash functions and how multithreading can be used to improve the performance of the CGA Generation algorithm. Based on the results, this research recommends imposing a minimal computational security ofO(2 80 ), the use of the HAVAL
ANALYSIS OF IPV6 COMMUNICATION ARCHITECTURE USING SPECIFIC ADDRESSES
Concepts Books Publication, 2017
In the current Internet architecture, IP address used for the node identifier, that is, generally a single IP address is assigned to a node, and used permanently until the node becomes inactive. The same address is used for all communications from/to the node. However, this communication paradigm has a fundamental problem regarding security that the information of IP address of the node is open not only to nodes who intend to communicate to it, but also to anonymous parties who try to attack the node. To solve this problem, we change our traditional paradigm completely and propose a new solution called Unified Multiplex Communication Architecture. The most difference from the current Internet is that an IP address is not used for node identifier, but for service identifier. In the Unified Multiplex Communication Architecture, we change IP addresses session-by-session, and the assigned address is invalid immediately after the session terminates. This architecture simply changes the direction for use of IP address but enhances the security significantly.However, there is a major issue on Unified Multiplex how to determine the IP address to connect the server, since IP address is assigned to session one-by-one. Prior to communication, the client should know the IP address of the server which is used for awaiting the connection from the client. For this problem, in this thesis we propose a new, non-negotiation type IP address determination mechanism that is feasible by updating the operating system on end hosts only (no modification of application is needed). In our mechanism, IP address generation is performed on both server and client independently, but generated addresses are synchronized because time information is used for address generation. We then analyze the interval of address update (i.e., the lifetime of generated address) for avoiding unexpected failure due to our mechanism. Our numerical result shows that our address update mechanism is extremely robust against brute-force type attacks. Moreover, detailed design and implementation methods are described for realization. Keywords Communication Architecture Secure Communication IPv6
IPv6 Stateless Address Autoconfiguration: Balancing between Security, Privacy and Usability
Lecture Notes in Computer Science, 2013
Included in the IPv6 suite is a method for devices to automatically configure their own addresses in a secure manner. This technique is called Cryptographically Generated Addresses (CGAs). CGA provides the ownership proof necessary for an IPv6 address without relying on any trust authority. However, the CGAs computation is very high, especially for a high security level defined by the security parameter (Sec). Therefore, the high cost of address generation may keep hosts that use a high Sec values from changing their addresses on a frequent basis. This results in hosts still being susceptible to privacy related attacks. This paper proposes modifications to the standard CGA to make it more applicable security approach while protecting user privacy. We make CGA more privacy-conscious by changing addresses over time which protects users from being tracked. We propose to reduce the CGA granularity of the security level from 16 to 8. We believe that an 8 granularity is more feasible for use in most applications and scenarios. These extensions to the standard CGA are implemented and evaluated.
Usage and performance of cryptographically generated addresses
2008
Neighbor Discovery (ND) controls IPv6 nodes and routers interactions through ICMPv6 messages. It provides address resolution and duplicated address detection. Nonetheless, it does not offer security protection to the exchanged messages. In order to improve its security, Secure Neighbor Discovery (SEND) has been specied using the same ND messages and adding new options providing authentication and replay attacks control. SEND uses Cryptographically Generated Addresses (CGAs) as IPv6 addresses and RSA as key and signature generation algorithm. CGAs are created using RSA public key. In fact, they contain a cryptographic based identifier. Their interface identifier is generated using SHA-1 hash function over a parameters structure which contains the generating node's public key. Our project consists on the study of CGAs dierent usages in wired, multihoming and mobile networks. In addition, we studied CGA generation and verification algorithms performance and improve it with the use ...
Generating Unlinkable IPv6 Addresses
Lecture Notes in Computer Science, 2015
A number of approaches to the automatic generation of IPv6 addresses have been proposed with the goal of preserving the privacy of IPv6 hosts. However, existing schemes for address autoconfiguration do not adequately consider the full context in which they might be implemented, in particular the impact of low quality random number generation. This can have a fundamental impact on the privacy property of unlinkability, one of the design goals of a number of IPv6 address autoconfiguration schemes. In this paper, the potential shortcomings of previously proposed approaches to address autoconfiguration are analysed in detail, focussing on what happens when the assumption of strong randomness does not hold. Practical improvements are introduced, designed to address the identified issues by making the random generation requirements more explicit, and by incorporating measures into the schemes designed to ensure adequate randomness is used.