Using Redundancy to Increase Survivability
暂无分享,去创建一个
Secure communication services—that is, communication services that provide attributes such as confidentiality, integrity, and authenticity—typically implement each attribute using a single method for each connection. For example, confidentiality may be provided by DES and integrity by keyed MD5. Although such an approach may be secure in the traditional sense, it is not survivable—once a method is compromised, all security guarantees on the connection related to that attribute are gone. Each method is, in essence, a single point of vulnerability very much analogous to a single point of system failure when considering faulttolerance attributes. This problem is the same for many other aspects of security, including authentication and access control. This position paper advocates the use of a standard fault-tolerance technique—redundancy—to increase the survivability of communication. For example, using this approach, message integrity can be implemented by calculating redundant independent signatures, while confidentiality can be implemented by encrypting the message with a combination of methods with keys established using different methods. As a result, even if an intruder manages to find one key or break one algorithm, the security guarantees may remain intact. The task of the intruder can be complicated further by using secret combinations of methods or by dynamically altering the set of methods during the lifetime of the connection. By using multiple methods and doing so in ways that can vary unpredictably, the space of possibilities that must be considered by an attacker and the effort expended to compromise the attribute expands combinatorially. The approach also allows the tradeoff between the cost of the survivability and the protection to be managed explicitly and dynamically in response to changing threat scenarios. This paper focuses on two key requirements for using redundancy to improve survivability, the development of appropriate techniques and the availability of suitable system support. We begin by discussing some specific redundancy techniques for both communication security and other security services, and then turn to the issue of system support. As an example of a system that has the necessary characteristics, we give an overview of Cactus, a system for building modular and configurable protocols and services, and SecComm, a highly configurable secure communication service implemented using Cactus. Other important aspects of the problem such as quantifying levels of survivability remain as future work.
[1] Matti A. Hiltunen,et al. Real-Time Dependable Channels: Customizing QoS Attributes for Distributed Systems , 1999, IEEE Trans. Parallel Distributed Syst..
[2] Matti A. Hiltunen,et al. Coyote: a system for constructing fine-grain configurable communication services , 1998, TOCS.
[3] Larry L. Peterson,et al. The x-Kernel: An Architecture for Implementing Network Protocols , 1991, IEEE Trans. Software Eng..
[4] Matti A. Hiltunen,et al. Fine-Grain Configurability for Secure Communication , 2000 .