SPD
|
pSHIELD
|
nSHIELD
|
3. Automatic Access Control and Denial-of-Service
|
Mentioned in proposal and briefly investigated in D3.4.
Access control (IEEE 802.15.4, Wireless Medium Access Control)
Denial of Service (physical damage, jamming of communication lines, system overloading, attacks on the system’s power lines, battery depletion attacks)
|
WP3, T3.4
[The state-of-the-art can be found in Section ]
“As part of the activities in SHIELD, it is planned to address the critical design steps that will enable node firmware/software as well as network protocols in an SPD node environment which are resilient to DDoS attacks in conjunction with the implementation of basic access control mechanisms that a node should provide to the applications. Another step is to realize and handle DDoS vulnerabilities in a shared node environment where the possible attacker is an insider who already has the necessary credentials and wants to degrade service availability of part of the node network for his own purposes (per example shared face recognition devices installed on airport gates).”
[From TA_nSHIELD – 2.2.2 – Progress in specific SPD technologies as expected output of the project]
|
4. Lightweight Hardware and Software crypto technologies
|
In D3, asymmetric cryptography implementations of ECC and RSA were investigated. Asymmetric cryptography was used in order to exchange symmetric keys. Furthermore, the use of SHA-1, AES in CBC mode and a random number generator (RNG) was proposed.
Alternative algorithms were considered, some offering better performance, like NTRU for asymmetric as well as PRESENT and Hummingbird for symmetric cryptography. These weren’t investigated further. In addition the use of a TPM to store keys and improve performance and security was proposed.
In D6.1, a prototype was implemented using the Blowfish cipher.
Finally in D6.2 the following were used:
AES with key sizes 128bits and 256 bits
ECC/ECIES (TinyECC S/W) with key size 160 bits
|
WP3, T3.5
We propose the investigation of
AES & PRESENT, as a symmetric block cipher,
the Grain, as a symmetric stream cipher and
ECC & NTRU for public key cryptography and signatures
PRESENT was also a candidate for eStream hardware implementation, so we could also take it into account as an alternative.
Regarding hash functions, we could investigate the SHA-3 finalists.
[The state-of-the-art can be found in Section 6.3.1 and 6.3.2]
|
12. Asymmetric Cryptography for low cost nodes
|
See SPD 04 above
|
WP3, T3.5
See SPD 04 above
|
13. Reputation based schemes for secure routing and intrusion detection system
|
D4.2 describes the proposed IDS which features a distributed architecture and is implemented through a hybrid anomaly detection system. In this system every node runs a detection system, which is in charge of identifying nearby suspicious nodes. These suspicious nodes are temporarily blacklisted and an alarm is sent to the central agent. The central node gathers information from the rest of the nodes and in the case of a false alarm sends a message of false positive to the first node to erase the node from blacklist. If it is a true alarm, the central node will report it to the rest of nodes, in order to have them blacklist the suspicious node. This solution combines misuse and anomaly based techniques in a distributed hierarchy for improving resilience and performance.
|
WP4, T4.3
“SHIELD will go beyond the state-of-the-art in this technology by adapting it to a mobile ad-hoc environment. In such a network, it may be difficult for the reputation upgrading process to cope up with the node mobility and it might not be appropriate to depend solely upon personal observation. Using second hand information can significantly accelerate the detection and subsequent isolation of malicious nodes in MANETS”.
[From TA_nSHIELD – 2.2.2 – Progress in specific SPD technologies as expected output of the project]
|
14. Anonymity and Location-privacy techniques
|
Mentioned in proposal but no significant research appears on deliverables.
|
WP4, T4.4
This SPD will be mainly investigated in the nSHIELD scenario of social mobility. We can propose relevant state of the art techniques, considering the updated case studies.
|
15. Reputation based security resource Management Procedures
|
Mentioned in Proposal as part of Task 4.3 and D3.2 touches the topic for NMP nodes but no visible research @ WP4’s deliverables.
|
WP4, T4.3
“In order to improve this technology, SHIELD project will design an abstract layer that will consider device’s security as a service, so that SHIELD project could control the security of one resource and transactions among resources. This will control also traceability and dependence among resources. This remote control of TPM – reputation based- can identify malicious use, corruption and perform a secure flow control of the job.”
[From TA_nSHIELD – 2.2.2 – Progress in specific SPD technologies as expected output of the project]
|
18. Dependable authentic key distribution mechanism
|
In D3, public key cryptography is proposed in order to exchange symmetric keys.
D4 examines key distribution mechanisms that rely solely on symmetric cryptography.
In D6.1, a key exchange protocol, namely ‘Control Randomness Protocol’, is implemented. On the first phase, a public key cryptography scheme is used in order to exchange the bundle of symmetric keys that will be used on the second phase. During the second phase, those keys are being used as input for a symmetric key cryptography scheme that handles the actual data exchange.
In D6.2, the WSN sensors distribute cryptographic keys in accordance with a WSN broadcast key distribution method (when used AES) and pre-distribution key distribution method (when used ECC).
|
WP4, T4.4
The suitability of a scheme for key distribution depends on the application’s needs in terms of security, performance and flexibility.
In nSHIELD we will investigate the use of several schemes for the four scenarios, taking into account the special characteristics of every one of them.
Key distribution mechanisms that make use of asymmetric cryptography can be used by power nodes, as these mechanisms demand more resources but they are more robust.
Lightweight key distribution mechanisms that make use of symmetric cryptography can be used by low power nodes.
[The state-of-the-art can be found in Section 6.3.3]
|
19. Secure service discovery, composition and delivery protocols
|
In D5.2 the secure service management is described. In the proposed prototype the OSGI framework is used.
In D5.4 several prototypes were implemented that use:
OSGI framework to perform Middleware Core Services for discovery and composition of pSHIELD components
OWL file representing the pSHIELD ontology that, together with the pSHIELD middleware, makes the composition possible. In particular this prototype includes the reasoning for Common Criteria compliant composition of SPD metrics.
Architectural design and performance analysis of a Policy Based approach by which the middleware composition could be driven
Matlab simulation and theoretical formalization of a Hybrid Automata approach to drive the SPD composition in a context-aware way
More technologies for service management are presented in D5.3 and D5.4.
In D6.1 the proposed implementations are revisited.
|
WP5, T5.2
“SHIELD will implement (and if possible) refine these specification to release a very first implementation of some of these mechanism; among them, the most interesting issues is the definition of WS-Security Policy. WS-Security Policy is a standard that regulate a security assertion model, a security binding abstraction and policy considerations.”
[From TA_nSHIELD – 2.2.2 – Progress in specific SPD technologies as expected output of the project]
|
21. Policy-based SPD management
|
D5.2 and D5.4 provides an overview of the state-of-the-art for policy-based management (PBM). XACML is recommended for policy specification.
In D6.1 and D6.3 a prototype is implemented using XACML and Hybrid-Automata model.
|
WP5, T5.3
“In this aspect, SHIELD will implement the technologies to provide the ES networks with the ability to adapt the policies at runtime to changes in the environment to react to ongoing attacks. These technologies will be developed starting from the concepts and technologies developed in the SERENITY and MASTER projects (both dealing with dynamic policy management), and adapting them to the particularities of Embedded systems. The objective is that the provided policy management framework is not simply an adaptation of an existing one, but, on the contrary, designed for the particularities of the ESs.”
[From TA_nSHIELD – 2.2.2 – Progress in specific SPD technologies as expected output of the project]
|
