Self-Certifying Address

In order to provide a transition to comprehensive IPSec infrastructure, Cryptographically Generated Address (CGA) and CAM (Child-Proof Authentication) [15]

were proposed. Without a PKI or other security infrastructure, the address owner uses the correspondent’s private key to assert address ownership by hashing address owner’s public key and using that hash to generate some address bits of their own IPv6 address.

Nowadays, many researchers consider CGA (Cryptographically Generated Address) [16]

as one of the most promising authentication solution for Binding Update. The attractive part of this technique is that it provides public-key authentication independent of any trusted third parties, PKI, or other global infrastructure. That is, CGA can work even without global infrastructure so that it can provide peer to peer communication under certain security.

We cannot forgo CAM (Child-Proof Authentication), an initial work of CGA, if we want to talk about Cryptographically Generated Address (CGA). Greg O’Shea and Michael Roe presented CAM (Child-Proof Authentication) for Mobile IPv6 in [16]. Their work makes a mobile node use a partial hash of its public key for its IPv6 address to prevent falsification of network address.

When a mobile node employ CAM mechanism, it creates a (public, private) key pair,

derives the low order 64 bits from the MAC (EUI-64 identifier) address and listens to router advertisement to obtain its high order 64-bit address prefix. Generally, the lower 64 bit from interface’s MAC address but ,in CAM or CGA, it generates the interface id from cryptographic one way hash by SHA1 algorithm of node’s public key.

CAM protocol requires the hash algorithm used to be one way so that inversion of hash becomes infeasible. Messages sent from an IPv6 mobile node can be protected by attaching the public key and those parameters. This kind of solution can works without a certified authority or other security infrastructure.

Besides, it is important to note that CAMs themselves are not certified. CAM protocol cannot prevent against an attacker who deliberately generates address with its own or some other’s public key and communicate with victims, such as Mobile Node or Correspondent Node, but it can, for sure, to provide non-repudiation proof in this protocol.

That is, attacker cannot take a generated address by someone else and then send the signed messages to pretend to be the owner of that address.

Even though using a 62-bit value may be a tough requirement for most low-end devices, such as handheld PDA and cell phone, it is better to change keys several times at during a day. Generally, a given key must be retained for the duration of any existing TCP connections, so that Mobile Node can operate without Home Agent during lifetime of this key and can safely communicate with correspondent without security infrastructure. In addition, during the transition to a new key, the previous key (and associated Home Address) can remain in use.

Except for CAM, CGA is also a technique that provides an intermediate level of security which is below public-key authentication but above routing-based weak methods (RR). The idea, originally introduced in CAM, is to form the last 64 bits of the IP address (the interface identifier) by hashing the host's public signature key. Through generated public key pair of mobile, Binding Updates can then be signed with this key. A secure

one-way hash function makes it difficult for the attacker to come up with a key that matches a given address and to forge signed BUs. The attraction of this technique is that it provides public-key authentication independent of any trusted third parties, PKI, or other global infrastructure.

Let us take a look at CGA format:

Modifier : With 128 bit unsigned integer, this value adds randomness to the address during CGA generation.

Subnet Prefix: 64 bit subnet prefix of CGA

Collision Count: During CGA generation, collision count increase by detecting duplicated address.

Public Key: A variable length field containing the public key of the address owner

CGA is associated with above parameters and comprised of Hash1 and Hash2 by those parameters.

Figure 8 CGA packet format

CGA generation

To generate CGA, we need several input values: modifier, subnet prefix, collision count, public key and security parameter. To prevent attacker from using pre-computed database of subnet prefixes, subnet prefix was include as a parameter in hash computation.

Using modifier, 9 zero octets, and public key, a Hash2 value can be computed. By comparing the 16xsec leftmost bits of Hash2 with zero to check if sec=0, the procedure should go back to Hash2 generation if sec is not equal to zero. By concatenating modifier value, the subnet prefix, collision count and public key, a Hash1 value can be derived by apply SHA1 algorithm.

Figure 9 CAM structure

Figure 10 CGA format with sec fields

The main weakness of the CAM scheme is that only 62 bits of the IP address can be used for the hash. Thus, it is vulnerable to brute force attack as attackers could easily find a matching signature key with current computing power. That is why CGA proposed a way for extending hash by counting subnet prefix in hash. This forces the attacker to

perform the search separately for each subnet prefix. The attacker may create a database of global table which hash values and their corresponding keys, even if that seems out of practical for the large storage needed. The side effect of the idea is that only for globally routable address but not for link local addresses. It is relatively expensive to for a Mobile Node to recomputed hash when it move to other network and change its subnet.

CGA Signaling Diagram

Although the correctness of claimed address is assured, CGA still need a minimal address testing procedure for both home and care-of address. However, one of main goals for CGA is to reduce the latency caused by signaling.

The CGA protocol provides two kinds of signaling: initial contact establishment and subsequent messaging. The initial signaling should be rerun at least once every 24 hours.

The signaling process for initial contact is listed below.

1. MN to CN (via HA): Pre Binding Update

2a. CN to MN (via HA): Pre Binding Acknowledgement 2b. CN to MN (directly): Pre Binding Test

3. MN to CN (directly): Binding Update + ESN + CGA Key + SIG + BAD 4. CN to MN (directly): Binding Acknowledgment + ESN + SKey + BAD

The signaling diagram for subsequent messaging shows as below.

1. MN to CN (directly): Care-of Test Init [+ ESN + KeepFlow + BAD]

2. CN to MN (directly): Care-of Test

3. MN to CN (directly): Binding Update + NI + ESN + BAD 4. CN to MN (directly): Binding Acknowledgment + ESN + BAD

ESN (extended sequence number): a 64 bit unsigned integer, increased by the mobile node when sending a new message to the correspondent.

SIG (signature): SIG option contains the signature signed by the mobile node with CGA's private key.

BAD (Binding Authorization Data option): an authentication code generated by MN to prevent replay attacks

Skey (Shared key): Binding acknowledgment messages sent by the correspondent node use Skey option to carry key encrypted by mobile node's public key.

Signature option: The Signature option is calculated with the mobile node's private key.

CGA Key Option: CGA Key Option is used to carry the mobile node's CGA public key and other parameters. Binding Update sent by Mobile Node having this option signed with CGA corresponding private key.

Readers can notice that the Home address Test doesn't show up in the subsequent messaging process. It is not needed anymore for continuing messages exchange. The correspondent node will respond Binding Acknowledgment after receiving the signature and verification of address owner's public key in BU message. Through ESN sent with Binding Update, Correspondent Node can prevent replay attacks using past BU message.

Generating new public keys and changing addresses at regular intervals should also discourage brute-force attacks. You might know that, CGA themselves are not certified, so the malicious node may create a new CGA from any subnet prefix and its own public key.

This concept addresses the limitation of the cryptographically generated addresses (CGA).

Although CGA prevent the theft of another host's address, they do not stop the attacker from inventing new false addresses with an arbitrary routing prefix. The attacker can generate a public key and a matching IP address in any network and use it to launch bombing attacks. So, there is a trade off that the stronger the complex of key, the computing consuming for the resource limited mobile devices.

We can conclude that, for both PKI-based and CGA-based mechanism, while the

public-key protocols provide a reasonable protection against unauthentic BUs, they are computationally intensive and therefore the participants are exposed to denial-of-service attacks.