Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication
- URL: http://arxiv.org/abs/2312.09650v1
- Date: Fri, 15 Dec 2023 09:52:04 GMT
- Title: Madtls: Fine-grained Middlebox-aware End-to-end Security for Industrial Communication
- Authors: Eric Wagner, David Heye, Martin Serror, Ike Kunze, Klaus Wehrle, Martin Henze,
- Abstract summary: Middlebox-aware DTLS (Madtls) is a middlebox-aware end-to-end security protocol tailored to the needs of industrial networks.
Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.
- Score: 5.854487755768922
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Industrial control systems increasingly rely on middlebox functionality such as intrusion detection or in-network processing. However, traditional end-to-end security protocols interfere with the necessary access to in-flight data. While recent work on middlebox-aware end-to-end security protocols for the traditional Internet promises to address the dilemma between end-to-end security guarantees and middleboxes, the current state-of-the-art lacks critical features for industrial communication. Most importantly, industrial settings require fine-grained access control for middleboxes to truly operate in a least-privilege mode. Likewise, advanced applications even require that middleboxes can inject specific messages (e.g., emergency shutdowns). Meanwhile, industrial scenarios often expose tight latency and bandwidth constraints not found in the traditional Internet. As the current state-of-the-art misses critical features, we propose Middlebox-aware DTLS (Madtls), a middlebox-aware end-to-end security protocol specifically tailored to the needs of industrial networks. Madtls provides bit-level read and write access control of middleboxes to communicated data with minimal bandwidth and processing overhead, even on constrained hardware.
Related papers
- Boosting Device Utilization in Control Flow Auditing [47.36491265793223]
Control Flow (CFAud) is a mechanism wherein a remote verifier (Vrf) is guaranteed to received evidence about the control flow path taken on a prover (Prv) MCU, even when Prv software is compromised.<n>Current CFAud requires a busy-wait'' phase where root-of-anchored root-of-RoT in Prv retains execution to ensure delivery of flow evidence to Vrf.<n>CARAMEL is a hardware RoT co-design that enables Prv to resume while control flow evidence is transmitted to Vrf.
arXiv Detail & Related papers (2026-03-02T18:26:17Z) - Securing Cross-Domain Internet of Drones: An RFF-PUF Allied Authenticated Key Exchange Protocol With Over-the-Air Enrollment [22.842391212425184]
Internet of Drones (IoD) is an emerging and crucial paradigm enabling advanced applications that require seamless, secure communication.<n>Access control and the transmission of sensitive data pose significant security challenges for IoD systems.<n>We propose a lightweight mutual authentication mechanism that integrates Radio Frequency Fingerprint (RFF) and Physical Unclonable Function (PUF) technologies for secure drone-to-drone (D2D) and drone-to-ground station server (D2G) communication.
arXiv Detail & Related papers (2025-12-26T02:04:24Z) - Multi-channel secure communication framework for wireless IoT (MCSC-WoT): enhancing security in Internet of Things [4.503914517565443]
This work presents the Multi-Channel Secure Communication (MCSC) framework, which integrates advanced cryptographic protocols with dynamic channel-hopping strategies to enhance security with reduced synchronization overhead.<n>A comprehensive comparison of MCSC with well-established methods, including Frequency Hop Spread Spectrum, single channel Advanced Encryption Standard, and various Elliptic Curve Cryptography-based schemes, indicates that MCSC has lower error rates and is more resilient to a wider range of cyber attacks.
arXiv Detail & Related papers (2025-09-11T20:59:13Z) - Secure Tug-of-War (SecTOW): Iterative Defense-Attack Training with Reinforcement Learning for Multimodal Model Security [63.41350337821108]
We propose Secure Tug-of-War (SecTOW) to enhance the security of multimodal large language models (MLLMs)<n>SecTOW consists of two modules: a defender and an auxiliary attacker, both trained iteratively using reinforcement learning (GRPO)<n>We show that SecTOW significantly improves security while preserving general performance.
arXiv Detail & Related papers (2025-07-29T17:39:48Z) - Secure IVSHMEM: End-to-End Shared-Memory Protocol with Hypervisor-CA Handshake and In-Kernel Access Control [3.861132936894187]
This paper presents Secure IVSHMEM, a protocol that provides end-to-end mutual authentication and fine-grained access enforcement with negligible performance cost.<n>In microbenchmarks, Secure IVSHMEM completes its one-time handshake in under 200ms and sustains data-plane round-trip latencies within 5% of the unmodified baseline.<n>We believe this design is ideally suited for safety and latency-critical in-host domains, such as automotive systems, where both performance and security are paramount.
arXiv Detail & Related papers (2025-05-25T07:02:41Z) - Versatile Quantum-Safe Hybrid Key Exchange and Its Application to MACsec [1.2641141743223379]
Quantum computing poses a significant threat to cryptography currently deployed.<n> cryptographic building blocks to mitigate the threat are already available.<n>Following an agile defense-in-depth approach, Hybrid Authenticated Key Exchange protocols have recently been gaining attention.<n>We propose a new versatile HAKE protocol, dubbed VMuckle, which is sufficiently flexible for the use in MACsec to provide LAN participants with hybrid key material ensuring secure communication.
arXiv Detail & Related papers (2025-05-20T10:16:06Z) - Extending Lifetime of Embedded Systems by WebAssembly-based Functional Extensions Including Drivers [46.538276603099916]
We present Wasm-IO, a framework designed to facilitate peripheral I/O operations within WebAssembly (Wasm) containers.<n>We detail synchronous I/O and methods for embedding platform-independent peripheral configurations within Wasm binaries.
arXiv Detail & Related papers (2025-03-10T17:22:00Z) - Robust Multicast Origin Authentication in MACsec and CANsec for Automotive Scenarios [1.8570591025615457]
Ethernet and CAN XL provide link-level security based on symmetric cryptography, but do not support origin authentication for multicast transmissions.
Asymmetric cryptography is unsuitable for networked embedded control systems with real-time constraints and limited computational resources.
Some such strategies are presented and analyzed that allow for multicast origin authentication, also improving robustness to frame losses by means of interleaved keychains.
arXiv Detail & Related papers (2025-02-27T21:55:08Z) - A Comprehensive Framework for Building Highly Secure, Network-Connected Devices: Chip to App [1.4732811715354452]
This paper proposes a holistic approach to securing network-connected devices.
At the hardware level, we focus on secure key management, reliable random number generation, and protecting critical assets.
For secure communication, we emphasize TLS 1.3 and optimized cipher suites tailored for both standard and resource-constrained devices.
arXiv Detail & Related papers (2025-01-23T14:44:34Z) - Securing Legacy Communication Networks via Authenticated Cyclic Redundancy Integrity Check [98.34702864029796]
We propose Authenticated Cyclic Redundancy Integrity Check (ACRIC)
ACRIC preserves backward compatibility without requiring additional hardware and is protocol agnostic.
We show that ACRIC offers robust security with minimal transmission overhead ( 1 ms)
arXiv Detail & Related papers (2024-11-21T18:26:05Z) - Lightweight and Resilient Signatures for Cloud-Assisted Embedded IoT Systems [2.156208381257605]
Lightweight and Resilient Signatures with Hardware Assistance (LRSHA) and its Forwardsecure version (FLRSHA)
We create two novel digital signatures called Lightweight and Resilient Signatures with Hardware Assistance (LRSHA) and its Forwardsecure version (FLRSHA)
They offer a nearoptimally efficient signing with small keys and signature sizes.
arXiv Detail & Related papers (2024-09-20T22:43:47Z) - Conceptual Design and Implementation of FIDO2 compatible Smart Card for Decentralized Financial Transaction System [0.2678472239880052]
Existing passwordless and password-based peer to peer transactions in online banking systems are vulnerable to advanced forms of digital attacks.
This paper proposes a novel and robust peer to peer transaction system which employs best cloud security practices, proper use of cryptography and trusted computing to mitigate common vulnerabilities.
arXiv Detail & Related papers (2024-08-09T10:08:10Z) - Physical Layer Deception with Non-Orthogonal Multiplexing [52.11755709248891]
We propose a novel framework of physical layer deception (PLD) to actively counteract wiretapping attempts.
PLD combines PLS with deception technologies to actively counteract wiretapping attempts.
We prove the validity of the PLD framework with in-depth analyses and demonstrate its superiority over conventional PLS approaches.
arXiv Detail & Related papers (2024-06-30T16:17:39Z) - A Survey and Comparative Analysis of Security Properties of CAN Authentication Protocols [92.81385447582882]
The Controller Area Network (CAN) bus leaves in-vehicle communications inherently non-secure.
This paper reviews and compares the 15 most prominent authentication protocols for the CAN bus.
We evaluate protocols based on essential operational criteria that contribute to ease of implementation.
arXiv Detail & Related papers (2024-01-19T14:52:04Z) - HasTEE+ : Confidential Cloud Computing and Analytics with Haskell [50.994023665559496]
Confidential computing enables the protection of confidential code and data in a co-tenanted cloud deployment using specialized hardware isolation units called Trusted Execution Environments (TEEs)
TEEs offer low-level C/C++-based toolchains that are susceptible to inherent memory safety vulnerabilities and lack language constructs to monitor explicit and implicit information-flow leaks.
We address the above with HasTEE+, a domain-specific language (cla) embedded in Haskell that enables programming TEEs in a high-level language with strong type-safety.
arXiv Detail & Related papers (2024-01-17T00:56:23Z) - Tamper-Evident Pairing [55.2480439325792]
Tamper-Evident Pairing (TEP) is an improvement of the Push-Button configuration (PBC) standard.
TEP relies on the Tamper-Evident Announcement (TEA), which guarantees that an adversary can neither tamper a transmitted message without being detected, nor hide the fact that the message has been sent.
This paper provides a comprehensive overview of the TEP protocol, including all information needed to understand how it works.
arXiv Detail & Related papers (2023-11-24T18:54:00Z) - Secure Data Transmission over Insecure Radio Channel in Wireless of Things (WoT) Network [1.864621482724548]
The Public Key Cryptography (PKC) techniques which use larger keys cannot be fitted in tiny resource constrained Wireless of Things (WoT) devices.
Some Symmetric Key Cryptosystems (SKC) use smaller keys, which can be fitted in the tiny devices.
In large networks where the number of nodes is in the order of 103, the memory constraint does not allow the system to do so.
arXiv Detail & Related papers (2023-11-20T16:00:02Z) - Security assessment of common open source MQTT brokers and clients [0.0]
Message Queuing Telemetry Transport protocol (QMTT) is the de facto standard and the most common alternative for those limited devices that cannot leverage.
The protocol was designed with no security concern since initially designed for private networks of the oil and gas industry.
Since is widely used for real applications, it is under the lens of the security community, also considering the widespread targeting IoT devices.
arXiv Detail & Related papers (2023-09-07T08:08:54Z) - Network Security in the Industrial Control System: A Survey [11.926258867333686]
In recent years, there has been much research on the security of the ICS network.
In this paper, we give a complete review of the protocols that are usually used in ICS.
Then, we give a comprehensive review on network security in terms of Defence in Depth (DiD)
arXiv Detail & Related papers (2023-08-07T11:19:24Z) - Practical quantum secure direct communication with squeezed states [55.41644538483948]
We report the first table-top experimental demonstration of a CV-QSDC system and assess its security.
This realization paves the way into future threat-less quantum metropolitan networks, compatible with coexisting advanced wavelength division multiplexing (WDM) systems.
arXiv Detail & Related papers (2023-06-25T19:23:42Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.