NANOG Meeting Presentation Abstract

Perspectives: Improving SSH-style Host Authentication with Network Probing
Meeting:	NANOG44
Date / Time:	2008-10-14 4:30pm - 5:00pm
Room:	Biltmore Bowl
Presenters:	Speakers: Dan Wendlandt, Carnegie Mellon Dan recently finished his third year s a PhD student at Carnegie Mellon University. He is generally interested in networks and security, particularly as they relate to economics. Sor far, he has mainly worked on routing security, host authentication, and DDoS. He is currently on a leave of absence working at Nicira Networks in Palo Alto, C A David Anderson, Carnegie Mellon. Adrian Perrig, Carnegie Mellon.
Abstract:	Widespread use of \"Trust-on-first-use\" (tofu) host authentication, most commonly associated with protocols like SSH and SSL with self-signed certificates, demonstrates significant demand for a host authentication mechanism that is low-cost and easy to deploy. While tofu applications are a clear improvement compared to completely insecure protocols, they can leave users vulnerable to even simple network attacks. Our system, Perspectives, thwarts such attacks using a network overlay that observes a server’s public key via multiple network vantage points (detecting localized attacks) and keeps a record of the server’s key over time (recognizing short-lived attacks). Clients that receive an unauthenticated key can contact this overlay and check the key against these records, detecting many common attacks. The Perspectives design explores a promising part of the host authentication design space: tofu applications gain significant attack robustness while retaining the basic ease-of-use that makes \"Trust-on-first-use\" so popular. We present a full network overlay and client design, analyze the security provided by the system, and describe our experience building and deploying a publicly available implementation.
Files:	Perspectives: Improving SSH-style Host Authentication with Network Probing Wendlandt Presentation(PDF)
Sponsors:	None.

Back to NANOG44 agenda.

NANOG44 Abstracts

• Show All

• BGP Techniques for Service Providers - Part 1
  Speakers:
  Philip Smith, Cisco Systems;

• VoIP For Service Providers
  Speakers:
  Andy Davidson, NetSumo Ltd;

• IP Multicast and Multipoint Design for IPTV Services
  Speakers:
  Mike McBride, Cisco Systems;

• DNSSEC
  Speakers:
  Richard Lamb, IANA/ICANN;

• BGP Techniques for Service Providers – Part 2
  Speakers:
  Philip Smith, Cisco Systems;

• Practice and Experience: Deploying LISP Protocol
  Speakers:
  David Meyer, Cisco/University of Oregon;

• IEEE P802.3ba 40 GbE and 100 GbE Standards Update
  Speakers:
  Greg Hankins, Force10 Networks;

• Request to Submit a Survey
  Speakers:
  Tom Scholl, AT&T Labs;

• Changing the IP Fairness Rule with Flow Management
  Speakers:
  Lawrence Roberts, Anagran;

• Automatic Configuration Generation and Auditing of Network
  Speakers:
  Michael ShieldsGoogle; .
  

• IPv6 Routing Introduction
  Speakers:
  Philip Smith, Cisco Systems; Ron Bonica, Juniper Networks;

• IPv6 Routing Introduction
  Speakers:
  Philip Smith, Cisco Systems; Ron Bonica, Juniper Networks;

• ISP Security
  Speakers:
  Danny McPherson, Arbor Networks; Warren KumariGoogle; .
  

• ISP Security
  Speakers:
  Danny McPherson, Arbor Networks; Warren KumariGoogle; .
  

• Tools
  Speakers:
  Joel Jaeggli, Nokia;

• Experiences of Delivering IPTV to Student Accommodation in the UK
  Speakers:
  Simon Lockhart, Bogons, Inuk Networks;

• DNSSEC @ IANA
  Speakers:
  Richard Lamb, IANA/ICANN;

• RFC 5211 - One Possible Timeline to IPv6
  Speakers:
  John Curran, ServerVault Corp/ARIN;

• Stealing the Internet
  Speakers:
  Alex PilosovPilsoft; .
  Anton Kapela, 5Nines Data;

• Stealing the Internet
  Speakers:
  Alex PilosovPilsoft; .
  Anton Kapela, 5Nines Data;

• A One Year Measurement Study of IPv6 Inter-Domain Traffic in the Internet
  Speakers:
  Haakon Ringberg, Princeton University; Danny McPherson, Arbor Networks; Craig Labovitz, Arbor Networks; Scott Iekel-JohnsonArbor Networks; .
  

• A One Year Measurement Study of IPv6 Inter-Domain Traffic in the Internet
  Speakers:
  Haakon Ringberg, Princeton University; Danny McPherson, Arbor Networks; Craig Labovitz, Arbor Networks; Scott Iekel-JohnsonArbor Networks; .
  

• A One Year Measurement Study of IPv6 Inter-Domain Traffic in the Internet
  Speakers:
  Haakon Ringberg, Princeton University; Danny McPherson, Arbor Networks; Craig Labovitz, Arbor Networks; Scott Iekel-JohnsonArbor Networks; .
  

• A One Year Measurement Study of IPv6 Inter-Domain Traffic in the Internet
  Speakers:
  Haakon Ringberg, Princeton University; Danny McPherson, Arbor Networks; Craig Labovitz, Arbor Networks; Scott Iekel-JohnsonArbor Networks; .
  

• Ensuring Service Quality & Security in Converged Networks Through Proactive Monitoring
  Speakers:
  Rahul Vir, Foundry Networks;

• Perspectives: Improving SSH-style Host Authentication with Network Probing
  Speakers:
  Dan Wendlandt, Carnegie Mellon; David AndersonCarnegie Mellon; .
  Adrian PerrigCarnegie Mellon; .
  

• Perspectives: Improving SSH-style Host Authentication with Network Probing
  Speakers:
  Dan Wendlandt, Carnegie Mellon; David AndersonCarnegie Mellon; .
  Adrian PerrigCarnegie Mellon; .
  

• Perspectives: Improving SSH-style Host Authentication with Network Probing
  Speakers:
  Dan Wendlandt, Carnegie Mellon; David AndersonCarnegie Mellon; .
  Adrian PerrigCarnegie Mellon; .
  

• Unconstrained Profiling of Internet Endpoints via Information on the Web
  Speakers:
  Antonio NucciNarus; .
  Supranamaya Ranjan, Narus; Aleksandar KuzmanovicNorthwestern University; .
  Ionut Trestian, Northwestern University;

• Unconstrained Profiling of Internet Endpoints via Information on the Web
  Speakers:
  Antonio NucciNarus; .
  Supranamaya Ranjan, Narus; Aleksandar KuzmanovicNorthwestern University; .
  Ionut Trestian, Northwestern University;

• Unconstrained Profiling of Internet Endpoints via Information on the Web
  Speakers:
  Antonio NucciNarus; .
  Supranamaya Ranjan, Narus; Aleksandar KuzmanovicNorthwestern University; .
  Ionut Trestian, Northwestern University;

• Unconstrained Profiling of Internet Endpoints via Information on the Web
  Speakers:
  Antonio NucciNarus; .
  Supranamaya Ranjan, Narus; Aleksandar KuzmanovicNorthwestern University; .
  Ionut Trestian, Northwestern University;

• Moderated Panel: What Would Jon have Done About the Addressing Challenges Currently Facing Us?
  Moderators:
  Bob Hinden, Nokia; Panelists:
  Bob BradenISI; .
  Danny Cohen, Sun; Van Jacobson, PARC; Paul MockapetrisNominum; .
  Lixia Zhang, UCLA;

• Moderated Panel: What Would Jon have Done About the Addressing Challenges Currently Facing Us?
  Moderators:
  Bob Hinden, Nokia; Panelists:
  Bob BradenISI; .
  Danny Cohen, Sun; Van Jacobson, PARC; Paul MockapetrisNominum; .
  Lixia Zhang, UCLA;

• Moderated Panel: What Would Jon have Done About the Addressing Challenges Currently Facing Us?
  Moderators:
  Bob Hinden, Nokia; Panelists:
  Bob BradenISI; .
  Danny Cohen, Sun; Van Jacobson, PARC; Paul MockapetrisNominum; .
  Lixia Zhang, UCLA;

• Moderated Panel: What Would Jon have Done About the Addressing Challenges Currently Facing Us?
  Moderators:
  Bob Hinden, Nokia; Panelists:
  Bob BradenISI; .
  Danny Cohen, Sun; Van Jacobson, PARC; Paul MockapetrisNominum; .
  Lixia Zhang, UCLA;

• Moderated Panel: What Would Jon have Done About the Addressing Challenges Currently Facing Us?
  Moderators:
  Bob Hinden, Nokia; Panelists:
  Bob BradenISI; .
  Danny Cohen, Sun; Van Jacobson, PARC; Paul MockapetrisNominum; .
  Lixia Zhang, UCLA;

• Moderated Panel: What Would Jon have Done About the Addressing Challenges Currently Facing Us?
  Moderators:
  Bob Hinden, Nokia; Panelists:
  Bob BradenISI; .
  Danny Cohen, Sun; Van Jacobson, PARC; Paul MockapetrisNominum; .
  Lixia Zhang, UCLA;