Using secure coprocessors to enforce network access policies in enterprise and ad hoc networks
Nowadays, network security is critically important. Enterprises rely on networks to improve
their business. However, network security breaches may cause them loss of millions of dollars.
Ad hoc networks, which enable computers to communicate wirelessly without the need for
infrastructure support, have been attracting more and more interests. However, they cannot
be deployed effectively due to security concerns.
Studies have shown that the major network security threat is insiders (malicious or
compromised nodes). Enterprises have traditionally employed network security solutions
(e.g., firewalls, intrusion detection systems, anti-virus software) and network access control
technologies (e.g., 802.1x, IPsec/IKE) to protect their networks. However, these approaches
do not prevent malicious or compromised nodes from accessing the network. Many attacks
against ad hoc networks, including routing, forwarding, and leader-election attacks, require
malicious nodes joining the attacked network too.
This dissertation presents a novel solution to protect both enterprise and ad hoc networks
by addressing the above problem. It is a hardware-based solution that protects a network
through the attesting of a nodes configuration before authorizing the nodes access to the
network. Attestation is the unforgeable disclosure of a nodes configuration to another node,
signed by a secure coprocessor known as a Trusted Platform Module (TPM).
This dissertation makes following contributions. First, several techniques at operating
system level (i.e., TCB prelogging, secure association root tripping, and sealing-free attestation confinement) are developed to support attestation and policy enforcement. Second, two secure attestation protocols at network level (i.e., Bound Keyed Attestation (BKA) and
Batched Bound Keyed Attestation (BBKA)) are designed to overcome the risk of a man-inthe-
middle (MITM) attack. Third, the above techniques are applied in enterprise networks to
different network access control technologies to enhance enterprise network security. Fourth,
AdHocSec, a novel network security solution for ad hoc networks, is proposed and evaluated. AdHocSec inserts a security layer between the network and data link layer of the network
stack. Several algorithms are designed to facilitate nodes attestation in ad hoc networks,
including distributed attestation (DA), and attested merger (AM) algorithm.
Advisor:Jose' Carlos Brustoloni; Rami Melhem; James B. D. Joshi; Ahmed Amer
School:University of Pittsburgh
School Location:USA - Pennsylvania
Source Type:Master's Thesis
Date of Publication:06/16/2008