Advertisement

Secure Communication Using Identity Based Encryption

  • Sebastian Roschke
  • Luan Ibraimi
  • Feng Cheng
  • Christoph Meinel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6109)

Abstract

Secured communication has been widely deployed to guarantee confidentiality and integrity of connections over untrusted networks, e.g., the Internet. Although secure connections are designed to prevent attacks on the connection, they hide attacks inside the channel from being analyzed by Intrusion Detection Systems (IDS). Furthermore, secure connections require a certain key exchange at the initialization phase, which is prone to Man-In-The-Middle (MITM) attacks. In this paper, we present a new method to secure connection which enables Intrusion Detection and overcomes the problem of MITM attacks. We propose to apply Identity Based Encryption (IBE) to secure a communication channel. The key escrow property of IBE is used to recover the decryption key, decrypt network traffic on the fly, and scan for malicious content. As the public key can be generated based on the identity of the connected server and its exchange is not necessary, MITM attacks are not easy to be carried out any more. A prototype of a modified TLS scheme is implemented and proved with a simple client-server application. Based on this prototype, a new IDS sensor is developed to be capable of identifying IBE encrypted secure traffic on the fly. A deployment architecture of the IBE sensor in a company network is proposed. Finally, we show the applicability by a practical experiment and some preliminary performance measurements.

Keywords

Intrusion Detection System Trust Authority Identity Base Encryption Secure Socket Layer Transport Layer Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    The TLS Protocol, http://www.ietf.org/rfc/rfc2246.txt (accessed January 2010)
  2. 2.
    Security Architecture for the Internet Protocol, http://www.rfc-editor.org/rfc/rfc4301.txt (accessed January 2010)
  3. 3.
    OpenPGP Message Format, http://tools.ietf.org/html/rfc4880 (accessed January 2010)
  4. 4.
    Snort IDS, http://www.snort.org/ (accessed January 2010)
  5. 5.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography, 1st edn. CRC Press, Boca Raton (1996)Google Scholar
  6. 6.
    Koziol, J., Litchfield, D., Aitel, D., Anley, C., Eren, S., Mehta, N., Hassell, R.: Shellcoders Handbook. Wiley Publishing, Inc., Chichester (2004)Google Scholar
  7. 7.
    Hallaraker, O., Vigna, G.: Detecting malicious javascript code in mozilla. In: Proceedings of International Conference on Engineering of Complex Computer Systems (ICECCS’05), Shanghai, China, pp. 85–94. IEEE Computer Society, Los Alamitos (2005)CrossRefGoogle Scholar
  8. 8.
    Mahoney, M.V., Chan, P.K.: An analysis of the 1999 darpa/lincoln laboratory evaluation data for network anomaly detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)Google Scholar
  9. 9.
    Ramadas, M., Ostermann, S., Tjaden, B.C.: Detecting anomalous network traffic with self-organizing maps. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 36–54. Springer, Heidelberg (2003)Google Scholar
  10. 10.
    Northcutt, S.: Network Intrusion Detection - An Analyst’s Handbook. New Riders (1999)Google Scholar
  11. 11.
    Shamir, A.: Identity-based cryptography and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  12. 12.
    Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-policy attribute-based encryption. In: Proceedings of the 2007 IEEE Symposium on Security and Privacy (S&P’07), Washington, DC, USA, pp. 321–334. IEEE Press, Los Alamitos (2007)Google Scholar
  15. 15.
    Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-based encryption for fine-grained access control of encrypted data. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS’06), pp. 89–98. ACM Press, New York (2006)CrossRefGoogle Scholar
  16. 16.
    Voltage security, http://www.voltage.com/ (accessed January 2010)
  17. 17.
    SSL Acceleration, http://sslacceleration.info/ (accessed January 2010)
  18. 18.
    Array Networks: Universal Access Controllers, http://www.arraynetworks.net/entry.asp?PageID=110 (accessed September 2009)
  19. 19.
    Radware: AppXcel, http://www.radware.com/ (accessed January 2010)
  20. 20.
    IBM: Crypto Card, http://www-03.ibm.com/security/cryptocards/ (accessed January 2010)
  21. 21.
    Irwin, B.: Unlocking the armour: enabling intrusion detection and analysis of encrypted traffic streams. In: Proceedings of New Knowledge Today Conference (ISSA KTC’05), Sandton, South Africa, pp. 1–10. ISSA Press (2005)Google Scholar
  22. 22.
    Yamada, A., Miyake, Y., Takemori, K., Studer, A., Perrig, A.: Intrusion detection for encrypted web accesses. In: Workshop Proceedings of Advanced Information Networking and Applications (AINA’07), Niagara Falls, Ontario, Canada, pp. 569–576. IEEE Press, Los Alamitos (2007)Google Scholar
  23. 23.
    Schneier, B.: Description of a new variable-length key, 64-bit block cipher (blowfish). In: Anderson, R. (ed.) FSE 1993. LNCS, vol. 809, pp. 191–204. Springer, Heidelberg (1994)Google Scholar
  24. 24.
    Lynn, B.: Stanford IBE Library v0.7.2, http://crypto.stanford.edu/ibe/ (accessed January 2010)
  25. 25.
    Stevens, M., Sotirov, A., Appelbaum, J., et al.: Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate. In: Halevi, S. (ed.) Advances in Cryptology - CRYPTO 2009. LNCS, vol. 5677, pp. 55–69. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  26. 26.
    Boneh, D., Inguva, S., Baker, I.: SSL Man in the Middle Proxy, http://crypto.stanford.edu/ssl-mitm/ (accessed January 2010)
  27. 27.
    Ettercap, http://ettercap.sf.net/ (accessed January 2010)

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Sebastian Roschke
    • 1
  • Luan Ibraimi
    • 2
  • Feng Cheng
    • 1
  • Christoph Meinel
    • 1
  1. 1.Hasso Plattner Institute (HPI)University of PotsdamPotsdamGermany
  2. 2.University of TwenteEnschedeThe Netherlands

Personalised recommendations