TY - JOUR
T1 - Keychain-based signatures for securing BGP
AU - Yin, Heng
AU - Sheng, Bo
AU - Wang, Haining
AU - Pan, Jianping
N1 - Funding Information:
Manuscript received 7 November 2009; revised 1 May 2010. This work was partially supported by ONR grant N00014-09-1-0746 and NSF grant 0901537. Heng Yin is with the Department of Electrical Engineering and Computer Science, Syracuse University, Syracuse, New York 13244 (e-mail: [email protected]). Bo Sheng is with the Department of Computer Science, University of Massachusetts Boston, Boston, MA 02125 (e-mail: [email protected]). Haining Wang is with the Department of Computer Science, College of William and Mary, Williamsburg, VA 23187 (e-mail: [email protected]). Jianping Pan is with the Department of Computer Science, University of Victoria, BC, Canada (e-mail: [email protected]). Digital Object Identifier 10.1109/JSAC.2010.101008.
PY - 2010/10
Y1 - 2010/10
N2 - As a major component of Internet routing infrastructure, the Border Gateway Protocol (BGP) is vulnerable to malicious attacks. While Secure BGP (S-BGP) provides a comprehensive framework to secure BGP, its high computational cost and low incremental deployment benefits seriously impede its wide usage in practice. Using a lightweight symmetric signature scheme, SPV is much faster than S-BGP. However, the speed boost comes at the price of prohibitively large signatures. Aggregated path authentication reduces the overhead of securing BGP in terms of both time and space, but the speed improvement is still limited by public key computation. In this paper, we propose a keychain-based signature scheme called KC-x. It has low CPU and memory overheads and provides strong incentive for incremental deployment on the Internet. As a generic framework, KC-x has the flexibility of using different signature algorithms, which can even co-exist in a hybrid deployment. We investigate two implementations of KC-x: KC-RSA based on RSA and KC-MT based on Merkle hash tree. Using real BGP workloads, our experimental results show that KC-RSA is as efficient as SAS-V (the most efficient software approach for aggregated path authentication), and KC-MT is even three times faster than SPV with 40% smaller signatures. Through the hybrid deployment of KC-MT and KC-RSA, KC-x can achieve both small signature and high processing rate for BGP speakers.
AB - As a major component of Internet routing infrastructure, the Border Gateway Protocol (BGP) is vulnerable to malicious attacks. While Secure BGP (S-BGP) provides a comprehensive framework to secure BGP, its high computational cost and low incremental deployment benefits seriously impede its wide usage in practice. Using a lightweight symmetric signature scheme, SPV is much faster than S-BGP. However, the speed boost comes at the price of prohibitively large signatures. Aggregated path authentication reduces the overhead of securing BGP in terms of both time and space, but the speed improvement is still limited by public key computation. In this paper, we propose a keychain-based signature scheme called KC-x. It has low CPU and memory overheads and provides strong incentive for incremental deployment on the Internet. As a generic framework, KC-x has the flexibility of using different signature algorithms, which can even co-exist in a hybrid deployment. We investigate two implementations of KC-x: KC-RSA based on RSA and KC-MT based on Merkle hash tree. Using real BGP workloads, our experimental results show that KC-RSA is as efficient as SAS-V (the most efficient software approach for aggregated path authentication), and KC-MT is even three times faster than SPV with 40% smaller signatures. Through the hybrid deployment of KC-MT and KC-RSA, KC-x can achieve both small signature and high processing rate for BGP speakers.
KW - BGP
KW - Keychain-based Signature
KW - Performance Optimization
KW - Secure Routing Protocol
UR - http://www.scopus.com/inward/record.url?scp=77957554104&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77957554104&partnerID=8YFLogxK
U2 - 10.1109/JSAC.2010.101008
DO - 10.1109/JSAC.2010.101008
M3 - Article
AN - SCOPUS:77957554104
SN - 0733-8716
VL - 28
SP - 1308
EP - 1318
JO - IEEE Journal on Selected Areas in Communications
JF - IEEE Journal on Selected Areas in Communications
IS - 8
M1 - 5586443
ER -