^ Top

NANOG Meeting Presentation Abstract

Perspectives: Improving SSH-style Host Authentication with Network Probing
Meeting: NANOG44
Date / Time: 2008-10-14 4:30pm - 5:00pm
Room: Biltmore Bowl
Presenters: Speakers:

Dan Wendlandt, Carnegie Mellon

Dan recently finished his third year s a PhD student at Carnegie Mellon University. He is generally interested in networks and security, particularly as they relate to economics. Sor far, he has mainly worked on routing security, host authentication, and DDoS. He is currently on a leave of absence working at Nicira Networks in Palo Alto, C A
David Anderson, Carnegie Mellon.
Adrian Perrig, Carnegie Mellon.
Abstract: Widespread use of \"Trust-on-first-use\" (tofu) host authentication, most commonly associated with protocols like SSH and SSL with self-signed certificates, demonstrates significant demand for a host authentication mechanism that is low-cost and easy to deploy. While tofu applications are a clear improvement compared to completely insecure protocols, they can leave users vulnerable to even simple network attacks. Our system, Perspectives, thwarts such attacks using a network overlay that observes a server’s public key via multiple network vantage points (detecting localized attacks) and keeps a record of the server’s key over time (recognizing short-lived attacks). Clients that receive an unauthenticated key can contact this overlay and check the key against these records, detecting many common attacks. The Perspectives design explores a promising part of the host authentication design space: tofu applications gain significant attack robustness while retaining the basic ease-of-use that makes \"Trust-on-first-use\" so popular. We present a full network overlay and client design, analyze the security provided by the system, and describe our experience building and deploying a publicly available implementation.
Files: youtubePerspectives: Improving SSH-style Host Authentication with Network Probing
pdfWendlandt Presentation(PDF)
Sponsors: None.

Back to NANOG44 agenda.

NANOG44 Abstracts

    Richard Lamb, IANA/ICANN;
  • ISP Security
    Danny McPherson, Arbor Networks; Warren KumariGoogle; .
  • ISP Security
    Danny McPherson, Arbor Networks; Warren KumariGoogle; .
  • Tools
    Joel Jaeggli, Nokia;


^ Back to Top