Incrementando os níveis de segurança na autenticação com Single Packet Authorization e Device Fingerprinting
Abstract
A new approach to network perimeter control is to authenticate before the first communication happens, as proposed in the Software Defined Perimeter (SDP). The use of Single Packet Authorization (SPA) in SDP is critical for first access to occur only after device authentication. However, the subsequent TCP connection problem may persist in SPA authentication techniques when authentication is bound to the IP address, such as in the SDP SPA. This work proposes a new model for creating and sending the SPA in the SDP. The new model includes in the SPA framework a device fingerprint field. Also, a method for constructing and using the new fingerprint field is proposed in order to solve the temporal gap between SPA authentication and the subsequent connection for user authentication. The results demonstrate that the proposed solution mitigates improper access and considerably increases the degree of difficulty in detecting, replicating or reading the SPA data. Through the experiments it has been demonstrated that the increase of the processing time of the new SPA and the generation of the fingerprint do not compromise the usability of the solution.References
Bilger, B., Boehme, A., Flores, B., e Guterman, Z. (2014). Cloud Security Alliance - SDP - Specication 1.0.
Booth, Y. W. e Kumhyr, D. B. (2007). Method and system for tracing missing network devices using hardware ngerprints. In Patent No.: US 7,181,195 B2. USA Patent.
CERT.BR (2017). Cartilha de Segurança para Internet.
Chuah, C. W., Dawson, E., e Simpson, L. (2013). Key Derivation Function: The SCKDF Scheme. In Security and Privacy Protection in Information Processing Systems, pages 125 – 138, Berlin, Heidelberg. Springer Berlin Heidelberg.
Cooper, A., Tschofenig, H., Ph.D., D. B. D. A., Peterson, J., Morris, J. B., Hansen, M., e Smith, R. (2013). Privacy Considerations for Internet Protocols. RFC 6973.
Daemen, J. e Rijmen, V. (1999). AES Proposal: Rijndael. In The Rijndael Block Cipher - Document Version 2 - AES Proposal, pages 1 – 45.
Desai, A., Ankalgi, K., Yamanur, H., e Navalgund, S. S. (2013). Parallelization of AES algorithm for disk encryption using CBC and ICBC modes. In 2013 Fourth (ICCCNT), pages 1 – 7.
Etchegoyen, C. S. (2014). Authentication of computing and communications hardware. In Patent US 8726407 B2. United States Patent.
Gardner, P. B. e Volodarets, V. (2017). Method for determining identication of an electronic device. In Patent No.: US 9,547,780 B2. United States Patent.
Hansen, T. e Eastlake, D. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). Internet Engineering Task Force (IETF).
Kaliski, B. (2000). PKCS #5: Password-Based Cryptography Specication Version 2.0. Internet Engineering Task Force (IETF).
Kumar, R. e Talwar, I. (2012). Network Security using Firewall and Cryptographic Authentication. International Journal of Computer Applications (0975 – 8887), 57(23).
Liew, J., Lee, S., Ong, I., Lee, H., e Lim, H. (2010). One-Time Knocking framework using SPA and IPsec. In 2010 2nd International Conference on Education Technology and Computer, volume 5, pages V5 – 213.
Lucion, E. L. R. e Nunes, R. C. (2018). Software Dened Perimeter: improvements in the security of Single Packet Authorization and user authentication. In XLIV Conferência Latino-americana de Informática - CLEI, São Paulo.
M'Raihi, D., Hoornaert, F., Naccache, D., Bellare, M., e Ranen, O. (2005). HOTP: An HMAC-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
M'Raihi, D., Machani, S., Pei, M., e Rydell, J. (2011). TOTP: Time-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
Newman, C. e Klyne, G. (2002). Date and Time on the Internet: Timestamps. RFC 3339.
Osborn, B., McWilliams, J., Beyer, B., e Saltonstall, M. (2016). BeyondCorp: Design to Deployment at Google. ;login:, 41, 28 – 34.
Peterson, L. L. e Davie, B. S. (2013). Redes de Computadores - uma abordagem de sistemas. Elsevier, 5º edition.
Puthal, D., Mohanty, S. P., Nanda, P., e Choppali, U. (2017). Building Security Perimeters to Protect Network Systems Against Cyber Threats [Future Directions]. IEEE Consumer Electronics Magazine, 6(4), 24 – 27.
Rowland, C., Sandford, A., Balakrishnan, S., e McCasey, M. (2008). Generating globally unique device identication. In Patent No.: US 7428,587 B2. United States Patent.
Spear, B., Beyer, B. A. E., Cittadini, L., e Saltonstall, M. (2016). Beyond Corp: The Access Proxy. Login, 41(04), 28 – 33.
Tariq, M., Baig, M. S., e Saeed, M. T. (2008). Associating the Authentication and Connection-Establishment Phases in Passive Authorization Techniques. In Proceedings of the World Congress on Engineering - WCE 2008, volume I, London, U.K.
Villela, A. D. A. (2007). Access control system based on a hardware and software signature of a requesting device. In Pub. No.: US 2007/0113090 A1. United States Patent.
Ward, R. e Beyer, B. (2014). BeyondCorp: A New Approach to Enterprise Security. ;login:, Vol. 39, No. 6, 6 – 11.
Zorkta, H. e Almutlaq, B. (2012). Harden Single Packet Authentication (HSPA). International Journal of Computer Theory and Engineering, 4(5), 717 – 721.
Booth, Y. W. e Kumhyr, D. B. (2007). Method and system for tracing missing network devices using hardware ngerprints. In Patent No.: US 7,181,195 B2. USA Patent.
CERT.BR (2017). Cartilha de Segurança para Internet.
Chuah, C. W., Dawson, E., e Simpson, L. (2013). Key Derivation Function: The SCKDF Scheme. In Security and Privacy Protection in Information Processing Systems, pages 125 – 138, Berlin, Heidelberg. Springer Berlin Heidelberg.
Cooper, A., Tschofenig, H., Ph.D., D. B. D. A., Peterson, J., Morris, J. B., Hansen, M., e Smith, R. (2013). Privacy Considerations for Internet Protocols. RFC 6973.
Daemen, J. e Rijmen, V. (1999). AES Proposal: Rijndael. In The Rijndael Block Cipher - Document Version 2 - AES Proposal, pages 1 – 45.
Desai, A., Ankalgi, K., Yamanur, H., e Navalgund, S. S. (2013). Parallelization of AES algorithm for disk encryption using CBC and ICBC modes. In 2013 Fourth (ICCCNT), pages 1 – 7.
Etchegoyen, C. S. (2014). Authentication of computing and communications hardware. In Patent US 8726407 B2. United States Patent.
Gardner, P. B. e Volodarets, V. (2017). Method for determining identication of an electronic device. In Patent No.: US 9,547,780 B2. United States Patent.
Hansen, T. e Eastlake, D. (2011). US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). Internet Engineering Task Force (IETF).
Kaliski, B. (2000). PKCS #5: Password-Based Cryptography Specication Version 2.0. Internet Engineering Task Force (IETF).
Kumar, R. e Talwar, I. (2012). Network Security using Firewall and Cryptographic Authentication. International Journal of Computer Applications (0975 – 8887), 57(23).
Liew, J., Lee, S., Ong, I., Lee, H., e Lim, H. (2010). One-Time Knocking framework using SPA and IPsec. In 2010 2nd International Conference on Education Technology and Computer, volume 5, pages V5 – 213.
Lucion, E. L. R. e Nunes, R. C. (2018). Software Dened Perimeter: improvements in the security of Single Packet Authorization and user authentication. In XLIV Conferência Latino-americana de Informática - CLEI, São Paulo.
M'Raihi, D., Hoornaert, F., Naccache, D., Bellare, M., e Ranen, O. (2005). HOTP: An HMAC-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
M'Raihi, D., Machani, S., Pei, M., e Rydell, J. (2011). TOTP: Time-Based One-Time Password Algorithm. Internet Engineering Task Force (IETF).
Newman, C. e Klyne, G. (2002). Date and Time on the Internet: Timestamps. RFC 3339.
Osborn, B., McWilliams, J., Beyer, B., e Saltonstall, M. (2016). BeyondCorp: Design to Deployment at Google. ;login:, 41, 28 – 34.
Peterson, L. L. e Davie, B. S. (2013). Redes de Computadores - uma abordagem de sistemas. Elsevier, 5º edition.
Puthal, D., Mohanty, S. P., Nanda, P., e Choppali, U. (2017). Building Security Perimeters to Protect Network Systems Against Cyber Threats [Future Directions]. IEEE Consumer Electronics Magazine, 6(4), 24 – 27.
Rowland, C., Sandford, A., Balakrishnan, S., e McCasey, M. (2008). Generating globally unique device identication. In Patent No.: US 7428,587 B2. United States Patent.
Spear, B., Beyer, B. A. E., Cittadini, L., e Saltonstall, M. (2016). Beyond Corp: The Access Proxy. Login, 41(04), 28 – 33.
Tariq, M., Baig, M. S., e Saeed, M. T. (2008). Associating the Authentication and Connection-Establishment Phases in Passive Authorization Techniques. In Proceedings of the World Congress on Engineering - WCE 2008, volume I, London, U.K.
Villela, A. D. A. (2007). Access control system based on a hardware and software signature of a requesting device. In Pub. No.: US 2007/0113090 A1. United States Patent.
Ward, R. e Beyer, B. (2014). BeyondCorp: A New Approach to Enterprise Security. ;login:, Vol. 39, No. 6, 6 – 11.
Zorkta, H. e Almutlaq, B. (2012). Harden Single Packet Authentication (HSPA). International Journal of Computer Theory and Engineering, 4(5), 717 – 721.
Published
2019-09-02
How to Cite
LUCION, Everson Luis; NUNES, Raul.
Incrementando os níveis de segurança na autenticação com Single Packet Authorization e Device Fingerprinting. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 1-14.
DOI: https://doi.org/10.5753/sbseg.2019.13958.
