In light of recent revelations over government spying and the NSA's infiltration of crypto standards, Bruce Schneier last week argued that:
Adrian Perrig (ETH Zurich) kicked off ESORICS at RoyalHoliday Holloway on Monday by proposing how. In the keynote talk he outlined a radical strategy of "revolution, not evolution" on the Internet, to fix current issues and ensure a reliable and secure architecture for the future.
So what are the problems?
The root of the problem is that the Internet was not designed with security in mind. The Border Gateway Protocol (BGP) is the decentralized routing protocol that makes all the key decisions as to where your data goes, and is particularly vulnerable to attack. With techniques like prefix hijacking and DNS spoofing, it is all too easy for Internet traffic to be re-routed through unwanted destinations, for example via China or perhaps GCHQ's cables.
Even if no-one's maliciously trying to re-route your traffic, BGP provides no control over the paths of incoming connections, so there's no way of explicitly avoiding specific nodes. As well as security problems, this can lead to route inconsistencies and stability issues, for example problems with an ISP in Australia can affect connectivity in the US. BGP also suffers from scalability issues caused by large routing tables and increasingly frequent routing updates, leading to more complex route calculation and greater power consumption in data centres.
SCION: building a secure Internet
To combat these issues, Adrian argued we need a system that allows explicit trust for network operations (so you know precisely which nodes you need to trust) and minimizes the number of trusted entities required for any operation, with no single root of trust. He proposed a novel Internet architecture called SCION. The core principle of SCION is trust domains, which divide the network into independent, isolated areas based on geographic or political boundaries that protect routing in one domain from malicious activities from another.
All the nodes in a trust domain must agree on a core root of trust within their domain, which is responsible for communicating with other trust domains. These cores might be today's top-level ISPs, for example. Paths from a source to a destination are computed jointly, so users have greater control over both outgoing and incoming routes, and shortcuts can allow users of different trust domains to directly communicate if they want.
The key concept of isolation seems a good, general way of preventing attacks. The main weakness behind the current BGP-based system is that any adversary who can get between a source and destination can attack the route. The strict isolation in SCION forces attacks to be localized to routes within the adversary's trust domain, and massively limits the effectiveness of many attacks you see today.
The proposal was a radical one, and provoked many questions, but the details seem well thought out. According to their experiments, most existing paths disovered by BGP are likely to be found through SCION's route propagation method, alongside a whole load more routes. And the advantages of isolation, scalability and path control make it an attractive alternative. My only disappointment with the talk was the lack of discussion as to the feasibility of actually implementing the architecture and phasing out BGP. No doubt re-engineering the Internet is a mammoth task with many complex issues, but hopefully those responsible will give SCION some serious consideration.
Cool. But how can I encrypt?
To conclude, Adrian reminded us that as well as a strong Internet architecture, to truly secure our communications we need more usable security. He showed a video demonstration of SafeSlinger, a neat tool for easy-to-use, secure end-to-end and group messaging. The app, which is available for Android and iOS (a Gmail plugin is in the works), has a simple, intuitive system for securely establishing keys between users, with an attractive interface that should appeal to the younger generation - certainly a lot more than PGP! With a committed development team - the app was 6 years in the making - and regular security audits (hopefully avoiding recent Android security issues), the tool shows promise in an area direly lacking in usable options.
"We engineers built the internet – and now we have to fix it"
Adrian Perrig (ETH Zurich) kicked off ESORICS at Royal
So what are the problems?
The root of the problem is that the Internet was not designed with security in mind. The Border Gateway Protocol (BGP) is the decentralized routing protocol that makes all the key decisions as to where your data goes, and is particularly vulnerable to attack. With techniques like prefix hijacking and DNS spoofing, it is all too easy for Internet traffic to be re-routed through unwanted destinations, for example via China or perhaps GCHQ's cables.
Even if no-one's maliciously trying to re-route your traffic, BGP provides no control over the paths of incoming connections, so there's no way of explicitly avoiding specific nodes. As well as security problems, this can lead to route inconsistencies and stability issues, for example problems with an ISP in Australia can affect connectivity in the US. BGP also suffers from scalability issues caused by large routing tables and increasingly frequent routing updates, leading to more complex route calculation and greater power consumption in data centres.
SCION: building a secure Internet
To combat these issues, Adrian argued we need a system that allows explicit trust for network operations (so you know precisely which nodes you need to trust) and minimizes the number of trusted entities required for any operation, with no single root of trust. He proposed a novel Internet architecture called SCION. The core principle of SCION is trust domains, which divide the network into independent, isolated areas based on geographic or political boundaries that protect routing in one domain from malicious activities from another.
All the nodes in a trust domain must agree on a core root of trust within their domain, which is responsible for communicating with other trust domains. These cores might be today's top-level ISPs, for example. Paths from a source to a destination are computed jointly, so users have greater control over both outgoing and incoming routes, and shortcuts can allow users of different trust domains to directly communicate if they want.
The key concept of isolation seems a good, general way of preventing attacks. The main weakness behind the current BGP-based system is that any adversary who can get between a source and destination can attack the route. The strict isolation in SCION forces attacks to be localized to routes within the adversary's trust domain, and massively limits the effectiveness of many attacks you see today.
The proposal was a radical one, and provoked many questions, but the details seem well thought out. According to their experiments, most existing paths disovered by BGP are likely to be found through SCION's route propagation method, alongside a whole load more routes. And the advantages of isolation, scalability and path control make it an attractive alternative. My only disappointment with the talk was the lack of discussion as to the feasibility of actually implementing the architecture and phasing out BGP. No doubt re-engineering the Internet is a mammoth task with many complex issues, but hopefully those responsible will give SCION some serious consideration.
Cool. But how can I encrypt?
To conclude, Adrian reminded us that as well as a strong Internet architecture, to truly secure our communications we need more usable security. He showed a video demonstration of SafeSlinger, a neat tool for easy-to-use, secure end-to-end and group messaging. The app, which is available for Android and iOS (a Gmail plugin is in the works), has a simple, intuitive system for securely establishing keys between users, with an attractive interface that should appeal to the younger generation - certainly a lot more than PGP! With a committed development team - the app was 6 years in the making - and regular security audits (hopefully avoiding recent Android security issues), the tool shows promise in an area direly lacking in usable options.
No comments:
Post a Comment