Analysis of the SPV secure routing protocol: weaknesses and lessons

We analyze a secure routing protocol, Secure Path Vector (SPV), proposed in SIGCOMM 2004. SPV aims to provide authenticity for route announcements in the Border Gateway Protocol (BGP) using an efficient alternative to ordinary digital signatures, called constant-time signatures. Today, SPV is often considered the best cryptographic defense for BGP. We find subtle flaws in the design of SPV which lead to attacks that can be mounted by 60% of Autonomous Systems in the Internet. In addition, we study several of SPV's design decisions and assumptions and highlight the requirements for security of routing protocols. In light of our analysis, we reexamine the need for constant-time signatures and find that certain standard digital signature schemes can provide the same level of efficiency for route authenticity.

[1]  Evangelos Kranakis,et al.  Pretty Secure BGP, psBGP , 2005, NDSS.

[2]  Eike Kiltz,et al.  Append-Only Signatures , 2005, ICALP.

[3]  Leonid Reyzin,et al.  Better than BiBa: Short One-Time Signatures with Fast Signing and Verifying , 2002, ACISP.

[4]  Hugo Krawczyk,et al.  Simple forward-secure signatures from any signature scheme , 2000, IACR Cryptol. ePrint Arch..

[5]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[6]  Mischa Schwartz,et al.  ACM SIGCOMM computer communication review , 2001, CCRV.

[7]  Constantinos Dovrolis,et al.  Beware of BGP attacks , 2004, CCRV.

[8]  Adrian Perrig,et al.  The BiBa one-time signature and broadcast authentication protocol , 2001, CCS '01.

[9]  Levente Buttyán,et al.  Towards provable security for ad hoc routing protocols , 2004, SASN '04.

[10]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[11]  Atsushi Fujioka,et al.  ESIGN: An Efficient Digital Signature Implementation for Smard Cards , 1991, EUROCRYPT.

[12]  Yongge Wang,et al.  Evaluation of Security Level of Cryptography: MY-ELLTY Signature Scheme , 2001 .

[13]  A. Menezes,et al.  Evaluation of Security Level of Cryptography : ECDSA Signature Scheme , 2001 .

[14]  Adrian Perrig,et al.  Modeling adoptability of secure BGP protocols , 2006, SIGMETRICS '06/Performance '06.

[15]  Sean W. Smith,et al.  Aggregated path authentication for efficient BGP security , 2005, CCS '05.

[16]  Jacques Stern,et al.  Almost Uniform Density of Power Residues and the Provable Security of ESIGN , 2003, ASIACRYPT.

[17]  Jennifer Rexford,et al.  BGP routing policies in ISP networks , 2005, IEEE Network.

[18]  Volker Roth,et al.  Listen and whisper: security mechanisms for BGP , 2004 .

[19]  Yih-Chun Hu,et al.  SPV: secure path vector routing for securing BGP , 2004, SIGCOMM.

[20]  Hovav Shacham,et al.  Sequential Aggregate Signatures from Trapdoor Permutations , 2004, EUROCRYPT.

[21]  S. M. Bellovin,et al.  Security problems in the TCP/IP protocol suite , 1989, CCRV.

[22]  Adrian Perrig,et al.  Modeling adoptability of secure BGP protocol , 2006, SIGCOMM 2006.