Skip to main content
SpringerLink
Log in

Secure VPNs for Trusted Computing Environments

  • Conference paper
Trusted Computing (Trust 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5471))

Included in the following conference series:

Abstract

Virtual Private Networks are a popular mechanism for building complex network infrastructures. Such infrastructures are usually accompanied by strict administrative restrictions on all VPN endpoints to protect the perimeter of the VPN. However, enforcement of such restrictions becomes difficult if these endpoints are personal computers used for remote VPN access. Commonly employed measures like anti-virus or software agents fail to defend against unanticipated attacks. The Trusted Computing Group invested significant work into platforms that are capable of secure integrity reporting. However, trusted boot and remote attestation also require a redesign of critical software components to achieve their full potential.

In this work, we design and implement a VPN architecture for trusted platforms. We solve the conflict between security and flexibility by implementing a self-contained VPN service that resides in an isolated area, outside the operating system environment visible to the user. We develop a hardened version of the IPsec architecture and protocols by addressing known security issues and reducing the overall complexity of IPsec and IKEv2. The resulting prototype provides access control and secure channels for arbitrary local compartments and is also compatible with typical IPsec configurations. We expect our focus on security and reduced complexity to result in much more stable and thus also more trustworthy software.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Sadeghi, A.R., Stüble, C.: Bridging the Gap between TCPA/Palladium and Personal Security (2003), citeseer.ist.psu.edu/575430.html

  2. Helmuth, C., Warg, A., Feske, N.: Mikro-SINA - Hands-on Experiences with the Nizza Security Architecture. In: Proceedings of the D.A.CH Security (March 2005)

    Google Scholar 

  3. Kent, S.: IP Encapsulating Security Payload (ESP). RFC 4303, Internet Engineering Task Force (December 2005)

    Google Scholar 

  4. Kaufman, C.: Internet Key Exchange (IKEv2) Protocol. RFC 4306, Internet Engineering Task Force (December 2005)

    Google Scholar 

  5. Kocher, P.C.: Timing attacks on implementations of diffie-hellman, rsa, dss, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)

    Google Scholar 

  6. Percival, C.: Cache missing for fun and profit. In: Proceedings of BSDCan 2005 (2005)

    Google Scholar 

  7. Sailer, R., Valdez, E., Jaeger, T., Perez, R., van Doorn, L., Griffin, J.L., Berger, S.: sHype: Secure Hypervisor Approach to Trusted Virtualized Systems. Research Report RC23511, IBM Research (February 2005)

    Google Scholar 

  8. Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A Virtual Machine-Based Platform for Trusted Computing. In: Proceedings of the 9th ACM Synopsium on Operating System Principles, pp. 193–206 (2003)

    Google Scholar 

  9. Shapiro, J., Hardy, N.: EROS: A Principle-Driven Operating System from the Ground Up. IEEE Software, 26–33 (January 2002)

    Google Scholar 

  10. Härtig, H., Hohmuth, M., Feske, N., Helmuth, C., Lackorzynski, A., Mehnert, F., Peter, M.: The Nizza Secure-System Architecture. In: Proceedings of IEEE CollaborateCom 2005, p. 10. IEEE Press, Los Alamitos (2005)

    Google Scholar 

  11. Heiser, G., Elphinstone, K., Kuz, I., Klein, G., Petters, S.M.: Towards Trustworthy Computing Systems: Taking Microkernels to the Next Level. ACM Operating Systems Review 41(4), 3–11 (2007)

    Article  Google Scholar 

  12. Syckor, J.: IPSec Infrastruktur für Mikro-SINA, Diplomarbeit, Technische Universität Dresden (November 2004), os.inf.tu-dresden.de/papers_ps/syckor-diplom.pdf

  13. McDonald, D., Metz, C., Phan, B.: PF_KEY Key Management API, Version 2. RFC 2367, Internet Engineering Task Force (July 1998)

    Google Scholar 

  14. Atkinson, R.: Security Architecture for the Internet Protocol. RFC 1825, Internet Engineering Task Force (August 1995)

    Google Scholar 

  15. Kent, S., Seo, K.: Security Architecture for the Internet Protocol. RFC 4301, Internet Engineering Task Force (2005)

    Google Scholar 

  16. Kent, S.: IP Authentication Header. RFC 4302, Internet Engineering Task Force (December 2005)

    Google Scholar 

  17. Doraswamy, N., Harkins, D.: IPsec: The new Security Standard for the Internet, Intranets and Virtual Private Networks, 2nd edn. Prentice Hall PTR, Englewood Cliffs (2003)

    Google Scholar 

  18. Paterson, K.G.: A Cryptographic Tour of the IPsec Standards, citeseer.ist.psu.edu/737404.html

  19. Aiello, W., Bellovin, S.M., Blaze, M., Ioannidis, J., Reingold, O., Canetti, R., Keromytis, A.D.: Efficient, DoS-resistant, secure key exchange for internet protocols. In: CCS 2002: Proceedings of the 9th ACM conference on Computer and communications security, pp. 48–58. ACM, New York (2002)

    Google Scholar 

  20. Ferguson, N., Schneier, B.: A Cryptographic Evaluation of IPsec (2000), www.schneier.com/paper-ipsec.html

  21. Bellovin, S.: Problem Areas for the IP Security Protocols. In: Proceedings of the Sixth Usenix Security Symposium (July 1996)

    Google Scholar 

  22. Degabriele, J.P., Paterson, K.G.: Attacking the IPsec Standards in Encryption-only Configurations (2007), eprint.iacr.org/2007/125

  23. Kiraly, C., Bianchi, G., Formisano, F., Teofili, S., Lo Cigno, R.: Traffic masking in IPsec: architecture and implementation. In: Mobile and Wireless Communications Summit, 16th IST, pp. 1–5 (2007)

    Google Scholar 

  24. Simpson, W.A.: IKE/ISAKMP Considered Harmful. Usenix, login 24(6) (December 1999)

    Google Scholar 

  25. Aziz, A., Patterson, M.: Design and Implementation of SKIP. In: INET 1995 Hypermedia Proceedings (1995)

    Google Scholar 

  26. Kaufman, C., Perlman, R., Sommerfeld, B.: DoS protection for UDP-based protocols. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 2–7. ACM, New York (2003)

    Google Scholar 

  27. Izadinia, V.D., Kourie, D., Eloff, J.: Uncovering identities: A study into VPN tunnel fingerprinting. Computers & Security 25(2), 97–105 (2006)

    Article  Google Scholar 

  28. Storage Work Group. Tcg storage architecture core specification. Technical report, Trusted Computing Group (May 2007)

    Google Scholar 

  29. Lau, J., Townsley, M., Goyret, I.: Layer Two Tunneling Protocol - Version 3 (L2TPv3). RFC 3931, Internet Engineering Task Force (2005)

    Google Scholar 

  30. Alkassar, A., Stüble, C.: Die Sicherheitsplattform Turaya. In: Trusted Computing, pp. 86–96. Vieweg+Teubner (May 2008)

    Google Scholar 

  31. Härtig, H., Roitzsch, M.: Ten years of research on l4-based real-time systems. In: Proceedings of the Eighth Real-Time Linux Workshop (2006)

    Google Scholar 

  32. Aboba, B., Dixon, W.: IPsec-Network Address Translation (NAT) Compatibility Requirements. RFC 3715, Internet Engineering Task Force (2004)

    Google Scholar 

  33. Huttunen, A., Swander, B., Volpe, V., DiBurro, L., Stenberg, M.: UDP Encapsulation of IPsec ESP Packets. RFC 3948, Internet Engineering Task Force (2005)

    Google Scholar 

  34. Shacham, A., Monsour, R., Pereira, R., Thomas, M.: IP Payload Compression Protocol (IPComp). RFC 2393, Internet Engineering Task Force (December 1998)

    Google Scholar 

  35. Eronen, P.: IKEv2 Mobility and Multihoming Protocol (MOBIKE). RFC 4555, Internet Engineering Task Force (June 2006)

    Google Scholar 

  36. TNC Work Group. Architecture for interoperability. Specification, Trusted Computing Group (April 2008)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst-Görtz Institute and Chair for System Security, Ruhr-University Bochum, Germany

    Steffen Schulz & Ahmad-Reza Sadeghi

Authors
  1. Steffen Schulz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ahmad-Reza Sadeghi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Hewlett Packard Labs, Filton Road, BS34 8QZ, Bristol, Stoke Gifford, UK

    Liqun Chen

  2. Information Security Group, Royal Holloway, University of London, TW20 0EX, Surrey, Egham, UK

    Chris J. Mitchell

  3. Oxford University Computing Laboratory, Wolfson Building, Parks Road, OX1 3QD, Oxford, UK

    Andrew Martin

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Schulz, S., Sadeghi, AR. (2009). Secure VPNs for Trusted Computing Environments. In: Chen, L., Mitchell, C.J., Martin, A. (eds) Trusted Computing. Trust 2009. Lecture Notes in Computer Science, vol 5471. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00587-9_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-00587-9_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-00586-2

  • Online ISBN: 978-3-642-00587-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation