proxychain developing a robust and efficient
play

Proxychain: Developing a Robust and Efficient Authentication - PowerPoint PPT Presentation

Mar 31, 2024 •259 likes •517 views

Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale VoIP Networks Italo Dacosta and Patrick Traynor Performance, Scalability and Security Finding the right balance between performance /scalability

  1. Proxychain: Developing a Robust and Efficient Authentication Infrastructure for Carrier-Scale VoIP Networks Italo Dacosta and Patrick Traynor

  2. Performance, Scalability and Security • Finding the right balance between performance /scalability and security is a well-known challenge • Robust but computationally expensive security mechanisms are difficult to deploy in production environments – S-BGP, DNSSEC • Weaker but more efficient security mechanisms are generally broken and abused – WEP, IKE Aggressive mode 2 Georgia Tech Information Security Center

  3. Another Example: SIP Authentication • Session Initiation Protocol (SIP) – Establishes, manages and terminates sessions between two or more clients – Generally associated with VoIP • RFC 3261 recommends several security mechanisms: Digest authentication, SSL/TLS, IPsec and S/MIME • However, Digest authentication is typically the only one employed – Weaker but more efficient 3 Georgia Tech Information Security Center

  4. SIP Digest Authentication - Challenge-response authentication protocol - Based on cryptographic hash operations (MD5) - De facto authentication mechanism in SIP 4 Georgia Tech Information Security Center

  5. SIP Dialogs with Digest Authentication INVITE 407 Response [realm, n] INVITE [ H(H (uid||realm||pwd)||n|| H (method||URI) ) ] 1 uid H (uid||realm||pwd) INVITE INVITE Request to 407 Response [realm, n] DB always required INVITE [ H(H (uid||realm||pwd)||n|| H (method||URI) ) ] 2 uid H (uid||realm||pwd) INVITE 5 Georgia Tech Information Security Center

  6. Problems with Digest Authentication • Inefficient in scenarios with a remote authentication service or database – RTT added to each authentication operation – One request to the database per authenticated SIP message – High load in the database if it is shared by multiple SIP servers • Considered a weak authentication protocol – E.g., No mutual authentication 6 Georgia Tech Information Security Center

  7. Our Scenario: A Nationwide VoIP Provider P = SIP Proxies DB = Authentication database 7 Georgia Tech Information Security Center

  8. The Problem: Digest Authentication Performance in Our Scenario 25000 No Authentication Digest Authentication 20000 Measured Throughput (cps) ≈ 24,000 cps (no auth.) 15000 10000 ≈ 1,160 cps 5000 (Digest auth.) 0 0 5000 10000 15000 20000 25000 30000 35000 Offered Load (cps) 8 Georgia Tech Information Security Center

  9. Our Proposed Solution • Reduce the number of requests to the database by caching temporary authentication credentials in the proxies • Use hash chains to build these temporary credentials – Take advantage of hash chains properties • Caching Digest auth. credentials reduces security! 9 Georgia Tech Information Security Center

  10. Hash Chains Background • Sequence of one-time authentication tokens • Created by applying a cryptographic hash function to a secret value r multiple times H n (r) = H(…H(H(r))…) 10 Georgia Tech Information Security Center

  11. Methodology • Design and implementation of new SIP authentication protocol: Proxychain • Experimental evaluation – Call throughput – Bandwidth utilization – CPU utilization • Results analysis 11 Georgia Tech Information Security Center

  12. Proxychain Design Goals • Efficiency – Faster authentication operations • Scalability – Support larger number of users and proxies • Security – Provide more security guarantees 12 Georgia Tech Information Security Center

  13. Proxychain SIP Dialogs Secure Channel INVITE [n AP ] A, P H l (tk A ), l , n DA , n DP , tk P 1 407 Response [ i , P, n DA , n DP , HMAC(tk P , n AP || i )] INVITE [A, B, i , HMAC(tk P , A||B||i), H i-1 (tk A )] INVITE INVITE [n AP ] 407 Response [ i-1 , P, n DA , n DP , HMAC(tk P , n AP || i-1 )] No request to 2 DB is required INVITE [A, B, i-1 , HMAC(tk P , A||B|| i-1 ), H i-2 (tk A )] INVITE 13 Georgia Tech Information Security Center

  14. Proxychain implementation • Modifications to proxy, database and client software – Implemented in C language – Relatively small when compared to original code base • Total credential size (MD5): 134 bytes – Only ≈ 26 MB of proxy’s memory required for storing 200,000 users credentials 14 Georgia Tech Information Security Center

  15. Experimental Setup • Planetlab for obtaining real RTT values • GT Emulab testbed for database and proxies – OpenSIPS for proxies – MySQL for the database • Nine high-capacity servers for generating SIP call traffic – SIPp as the SIP traffic generator 15 Georgia Tech Information Security Center

  16. Results: Call Throughput 25000 No Authentication Digest Authentication Proxychain ≈ 19,700 cps 20000 ≈ 24,000 cps (Proxychain) Measured Throughput (cps) (no auth.) 15000 10000 ≈ 1,160 cps 5000 (Digest auth.) 0 0 5000 10000 15000 20000 25000 30000 35000 Offered Load (cps) 16 Georgia Tech Information Security Center

  17. Results: Database CPU Utilization 180 Digest authentication. Proxychain 160 140 DB saturation MySQL % CPU utilization 120 (dual core machine) 100 80 60 40 20 0 -20 0 100 200 300 400 500 600 Time (sec) 17 Georgia Tech Information Security Center

  18. Results: Scalability 25000 Digest authentication. Proxychain Maximum usable throughput (cps) 20000 15000 y = 3243.9 x + 416.5 R 2 = 0.998 10000 5000 0 3 4 5 6 # of proxies 18 Georgia Tech Information Security Center

  19. Results: INVITE and BYE Authentication Proxychain (INVITE) Proxychain (INVITE and BYE) ≈ 19,700 cps 20000 (INVITE) Measured Throughput (cps) 15000 10000 ≈ 12,000 cps (INVITE+BYE) 5000 0 0 5000 10000 15000 20000 25000 30000 35000 Offered Load (cps) 19 Georgia Tech Information Security Center

  20. Discussion: Performance and Scalability • Proxychain reduces the effects of network latency , allowing higher call throughput • Lower load to the database allows more scalability and lower HW requirement 20 Georgia Tech Information Security Center

  21. Discussion: Performance and Scalability • Hash chains allow constant storage space – Dynamic reprovisioning (future work) • Key assumption: each proxy caches most of its users’ credentials (>75%) – Pre-fetching mechanism – Cache eviction policies (future work) 21 Georgia Tech Information Security Center

  22. Discussion: Security • Security improvements over Digest authentication and hash chain protocols – Efficient mutual authentication , additional security verifications • Protection against passive and active attackers – Stealing credentials from a proxy does not allow user impersonation (only affects mutual authentication) 22 Georgia Tech Information Security Center

  23. Conclusions • Proxychain simultaneously provides a robust, scalable and efficient authentication mechanism for carrier-scale SIP providers without additional HW • Even non-carrier level infrastructures with centralized authentication service can benefit from Proxychain • The key concepts behind Proxychain can be applied to authentication protocols in other domains 23 Georgia Tech Information Security Center

  24. Questions? Contact : idacosta@gatech.edu 24 Georgia Tech Information Security Center

Recommend

WINLAB Rutgers University Routing in MobilityFirst: Objectives Efficient and robust support of

WINLAB Rutgers University Routing in MobilityFirst: Objectives Efficient and robust support of

GSTAR: Storage Aware Routing Protocol for Efficient and Robust Services Nehal Somani, Abhishek Chanda, Samuel Nelson, Dipankar Raychaudhuri WINLAB Rutgers University Routing in MobilityFirst: Objectives Efficient and robust support of mobility

783 views • 20 slides
STICK IT OUT OR EVEN IT OUT? Towards a robust multi-period efficient frontier HISTORY OF

STICK IT OUT OR EVEN IT OUT? Towards a robust multi-period efficient frontier HISTORY OF

STICK IT OUT OR EVEN IT OUT? Towards a robust multi-period efficient frontier HISTORY OF PORTFOLIO SELECTION 1952, Markowitz: Efficient frontier for one-off investments 1956, Kelly: Optimize expected terminal wealth for repeated games 1991,

583 views • 10 slides
Workshop on the Role of Speech in Developing Robust Speech Processing Applications May 7-8, 2015

Workshop on the Role of Speech in Developing Robust Speech Processing Applications May 7-8, 2015

Workshop on the Role of Speech in Developing Robust Speech Processing Applications May 7-8, 2015 NSF, Arlington, VA Overview: The workshop focused on the critical role that speech science should play in developing robust future speech

663 views • 4 slides
The need for effective, efficient and robust communications is critical. Data is at the essence

The need for effective, efficient and robust communications is critical. Data is at the essence

The need for effective, efficient and robust communications is critical. Data is at the essence of what we do collection, evaluation, sharing these are all core to decision making whether it is part of the bridge team, the ashore side

352 views • 14 slides
Robust and Energy Efficient MAC/PHY Strategies of Wi-Fi Sunghyun Choi, Ph.D., FIEEE Multimedia

Robust and Energy Efficient MAC/PHY Strategies of Wi-Fi Sunghyun Choi, Ph.D., FIEEE Multimedia

Robust and Energy Efficient MAC/PHY Strategies of Wi-Fi Sunghyun Choi, Ph.D., FIEEE Multimedia & Wireless Networking Lab. Seoul National University, Korea http://www.mwnl.snu.ac.kr Introduction Wi-Fi has become an indispensable part of

700 views • 49 slides
The R -tree: An Efficient and Robust Access Method for Points and Rectangles N. Beckmann H.

The R -tree: An Efficient and Robust Access Method for Points and Rectangles N. Beckmann H.

The R -tree: An Efficient and Robust Access Method for Points and Rectangles N. Beckmann H. P. Kriegel R. Schneider B. Seeger Praktische Informatik, Universitaet Bremen February 23, 2013 Presented by Zhitao Gong Beckmann et al.

262 views • 22 slides
Robust and Efficient Methods of Inference for Non-Probability Samples: Application to Naturalistic

Robust and Efficient Methods of Inference for Non-Probability Samples: Application to Naturalistic

Robust and Efficient Methods of Inference for Non-Probability Samples: Application to Naturalistic Driving Data Ali Rafei 1 , Michael R. Elliott 1 , Carol A.C. Flannagan 2 1 Michigan Program in Survey Methodology 2 University of Michigan

932 views • 66 slides
Robust and Efficient Fitting of Claim Severity Distributions Vytaras Brazauskas a,b University of

Robust and Efficient Fitting of Claim Severity Distributions Vytaras Brazauskas a,b University of

Robust and Efficient Fitting of Claim Severity Distributions Vytaras Brazauskas a,b University of Wisconsin-Milwaukee 44th Actuarial Research Conference Madison, WI, July 30August 1, 2009 a In collaboration with Jones and Zitikis (University

895 views • 73 slides
Program correctness and verification Programs should be: clear; efficient; robust; reliable;

Program correctness and verification Programs should be: clear; efficient; robust; reliable;

Program correctness and verification Programs should be: clear; efficient; robust; reliable; user friendly; well documented; . . . but first of all, CORRECT dont forget though: also, executable. . . Correctness

202 views • 19 slides
A Storage-efficient and Robust Private Information Retrieval Scheme allowing few servers D.

A Storage-efficient and Robust Private Information Retrieval Scheme allowing few servers D.

A Storage-efficient and Robust Private Information Retrieval Scheme allowing few servers D. Augot, Franc oise Levy-dit-Vehel, Abudllatif Shikfa INRIA, ENSTA, Alcatel-Lucent D. Augot GT-BAC T el ecom, December 11, 2014 - 1/27 Outline

654 views • 31 slides
A predictive multi-modal imaging marker for designing efficient and robust AD clinical trials

A predictive multi-modal imaging marker for designing efficient and robust AD clinical trials

A predictive multi-modal imaging marker for designing efficient and robust AD clinical trials Vikas Singh , Ozioma Okonkwo Sterling C. Johnson , Vamsi K. Ithapu Computer Sciences Biostatistics and Medical Informatics

793 views • 54 slides
A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E.

A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E.

Overview of SLEPc Restarted Lanczos Bidiagonalization Evaluation A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E. Roman Universidad Polit ecnica de Valencia, Spain (joint work with V.

337 views • 33 slides
A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E.

A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E.

Overview of SLEPc Restarted Lanczos Bidiagonalization Evaluation A Robust and Efficient Parallel SVD Solver Based on Restarted Lanczos Bidiagonalization Jose E. Roman Universidad Polit ecnica de Valencia, Spain (joint work with V.

829 views • 60 slides
Integrating Color Image Segmentation and User Labeling for Efficient and Robust Graphics

Integrating Color Image Segmentation and User Labeling for Efficient and Robust Graphics

Integrating Color Image Segmentation and User Labeling for Efficient and Robust Graphics Recognition from Historical Maps Summary: the integration of a Color Image Segmentation (CIS) step with an interactive road-layer extraction process that

444 views • 6 slides
Prio: Private, Robust, and Efficient Computation of Aggregate Statistics Henry Corrigan-Gibbs and

Prio: Private, Robust, and Efficient Computation of Aggregate Statistics Henry Corrigan-Gibbs and

Prio: Private, Robust, and Efficient Computation of Aggregate Statistics Henry Corrigan-Gibbs and Dan Boneh Stanford University Appeared at NSDI 2017 Today: Non-private aggregation StressTracker Blood pressure Twitter usage Today:

1.92k views • 163 slides
Efficient & Robust LK for Mobile Vision Instructor - Simon Lucey 16-623 - Designing Computer

Efficient & Robust LK for Mobile Vision Instructor - Simon Lucey 16-623 - Designing Computer

Efficient & Robust LK for Mobile Vision Instructor - Simon Lucey 16-623 - Designing Computer Vision Apps Direct Method Indirect Method (ours) (ORB+RANSAC) H. Alismail, B. Browning, S. Lucey Bit-Planes: Dense Subpixel Alignment of

902 views • 67 slides
microinsurance growth = (robust + efficient processes)? Rehan Butt Head of Business Development

microinsurance growth = (robust + efficient processes)? Rehan Butt Head of Business Development

microinsurance growth = (robust + efficient processes)? Rehan Butt Head of Business Development Asia & Country Manager Pakistan Processes as growth determinant = More people experiencing insurance products and services Growth Gr =

311 views • 5 slides
Prio: Private, Robust, and Efficient Computation of Aggregate Statistics Henry Corrigan-Gibbs and

Prio: Private, Robust, and Efficient Computation of Aggregate Statistics Henry Corrigan-Gibbs and

Prio: Private, Robust, and Efficient Computation of Aggregate Statistics Henry Corrigan-Gibbs and Dan Boneh Stanford University NSDI 2017 Today: Non-private aggregation StressTracker Blood pressure Twitter usage Today: Non-private

1.92k views • 178 slides
We help our clients to create a sustainable growth through developing best people, efficient

We help our clients to create a sustainable growth through developing best people, efficient

We help our clients to create a sustainable growth through developing best people, efficient operational model and on-time strategy ABOUT PURCHASING, LOCALIZATION, QUALITY , LEAN MANUFACTURING AND: SUPPLIER ANALYSIS BENCHMARKING LOCALIZATION

298 views • 15 slides
Efficient, Parametrically-Robust Nonlinear Model Reduction using Local Reduced-Order Bases

Efficient, Parametrically-Robust Nonlinear Model Reduction using Local Reduced-Order Bases

Introduction Local Reduced-Order Models Application Conclusion Efficient, Parametrically-Robust Nonlinear Model Reduction using Local Reduced-Order Bases Matthew J. Zahr and Charbel Farhat Farhat Research Group Stanford University SIAM

545 views • 39 slides
Variable Impedance Robots for Efficient, Robust Bipedal Locomotion Alexander Enoch and Sethu

Variable Impedance Robots for Efficient, Robust Bipedal Locomotion Alexander Enoch and Sethu

What & Why How? Approaches to Variable Impedance Work at UoE Questions Variable Impedance Robots for Efficient, Robust Bipedal Locomotion Alexander Enoch and Sethu Vijayakumar University of Edinburgh November 26, 2012 A. Enoch, S.

489 views • 45 slides
DEVELOPING A ROBUST REVENUE MARKETING ENGINE PRESENTER: LJUBICA RADOICIC OUR GROWTH MODEL IS

DEVELOPING A ROBUST REVENUE MARKETING ENGINE PRESENTER: LJUBICA RADOICIC OUR GROWTH MODEL IS

DEVELOPING A ROBUST REVENUE MARKETING ENGINE PRESENTER: LJUBICA RADOICIC OUR GROWTH MODEL IS FINE UNTIL... REVENUE GENERATION ENGINE KEY ELEMENTS THAT IMPACT MARKETINGS ABILITY TO IMPROVE REVENUE PERFORMANCE Strategic Orientation

421 views • 14 slides
Voronoi Diagrams Robust and Efficient implementation Masters Thesis Defense Nirav Patel

Voronoi Diagrams Robust and Efficient implementation Masters Thesis Defense Nirav Patel

Voronoi Diagrams Robust and Efficient implementation Masters Thesis Defense Nirav Patel Binghamton University Department of Computer Science Thomas J. Watson School of Engineering and Applied Science May 5th, 2005 Nirav Patel Voronoi

1.01k views • 71 slides
Deliverable D 3 . 1 Project Title: Developing an efficient e-infrastructure, standards and data-

Deliverable D 3 . 1 Project Title: Developing an efficient e-infrastructure, standards and data-

Deliverable D 3 . 1 Project Title: Developing an efficient e-infrastructure, standards and data- flow for metabolomics and its interface to biomedical and life science e-infrastructures in Europe and world-wide Project Acronym: COSMOS Grant

294 views • 28 slides

More recommend