{"id":370,"date":"2012-09-24T17:13:29","date_gmt":"2012-09-24T15:13:29","guid":{"rendered":"https:\/\/samovar2022.int-evry.fr\/index.php\/2012\/09\/24\/soutenance-these-de-jean-michel-combes\/"},"modified":"2020-09-04T18:46:58","modified_gmt":"2020-09-04T16:46:58","slug":"soutenance-these-de-jean-michel-combes","status":"publish","type":"post","link":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/2012\/09\/24\/soutenance-these-de-jean-michel-combes\/","title":{"rendered":"Soutenance : Th\u00e8se de Jean-Michel Combes"},"content":{"rendered":"

vendredi 28 septembre<\/strong> 2012 \u00e0 10h<\/strong>00 en salle A003<\/strong>. <\/p>\n

\u00ab\u00a0Utilisation d’identifiants cryptographiques pour la s\u00e9curisation IPv6\u00a0\u00bb.<\/strong> <\/p>\n

Cette th\u00e8se a \u00e9t\u00e9 pr\u00e9par\u00e9e sous la direction du Professeur Maryline Laurent, au sein de l’\u00e9quipe R3S du laboratoire CNRS SAMOVAR et du laboratoire MAPS\/STT\/NDS d’Orange Labs. <\/p>\n

Composition du jury:<\/strong><\/p>\n

– Jean-Marie BONNIN, Professeur HDR, Telecom Bretagne, France (Rapporteur)
\n– C\u00e9sar VIHO, Professeur HDR, IRISA, France (Rapporteur)
\n– S\u00e9bastien TIXEUIL, Professeur HDR, Universit\u00e9 Pierre et Marie Curie, France (Examinateur)
\n– Anas Abou EL KALAM, Professeur HDR, ENSA de Marrakech, Maroc (Examinateur)
\n– Mohsen SOUISSI, Docteur, AFNIC, France (Examinateur)
\n– Maryline LAURENT, Professeur HDR, T\u00e9l\u00e9com SudParis, France (Directrice de th\u00e8se)<\/p>\n

R\u00e9sum\u00e9 :<\/strong><\/p>\n

IPv6, protocole succ\u00e9dant \u00e0 IPv4, est en cours de d\u00e9ploiement dans l’Internet. Il repose fortement sur le m\u00e9canisme Neighbor Discovery Protocol (NDP). Celui-ci permet non seulement \u00e0 deux noeuds IPv6 de pouvoir communiquer, \u00e0 l’instar du m\u00e9canisme Address Resolution Protocol (ARP) en IPv4, mais il apporte aussi de nouvelles fonctionnalit\u00e9s, telles que l’autoconfiguration d’adresse IPv6. Aussi, sa s\u00e9curisation pour le bon fonctionnement de l’Internet en IPv6 est critique. Son m\u00e9canisme de s\u00e9curit\u00e9 standardis\u00e9e \u00e0 l’Internet Engineering Task Force (IETF) se nomme Secure Neighbor Discovery (SEND). Il s’appuie \u00e0 la fois sur l’utilisation d’identifiants cryptographiques, adresses IPv6 appel\u00e9es Cryptographically Generated Addresses (CGA) et qui sont g\u00e9n\u00e9r\u00e9es \u00e0 partir d’une paire de cl\u00e9s publique\/priv\u00e9e, et de certificats \u00e9le
\n ctroniq
\nues X.509. L’objet de cette th\u00e8se est l’\u00e9tude de ces identifiants cryptographiques, les adresses CGA, ainsi que le m\u00e9canisme SEND les employant, et leurs r\u00e9utilisations potentielles pour la s\u00e9curisation IPv6.
\nDans une premi\u00e8re partie de cette th\u00e8se, tout d’abord, nous posons l’\u00e9tat de l’art. Aussi, nous rappelons les principales caract\u00e9ristiques du protocole IPv6 et en particulier son adressage qui inclut les adresses CGA. Ensuite, nous d\u00e9taillons le m\u00e9canisme NDP et son utilisation pour l’autoconfiguration d’adresses IPv6. Enfin, nous rappelons le m\u00e9canisme de mobilit\u00e9 des noeuds IPv6, Mobile IPv6 (MIPv6).
\nDans une deuxi\u00e8me partie de cette th\u00e8se, nous nous int\u00e9ressons \u00e0 la fiabilit\u00e9 du principal m\u00e9canisme connu employant les adresses CGA, le m\u00e9canisme SEND. En premier lieu, nous d\u00e9crivons les failles de s\u00e9curit\u00e9 du m\u00e9canisme NDP et pr\u00e9sentons le m\u00e9canisme SEND. Ensuite, nous analysons les limites de ce m\u00e9canisme, ainsi que des adresses CGA, et nous proposons des am\u00e9liorations pour y pallier.
\nDans une troisi\u00e8me et derni\u00e8re partie de cette th\u00e8se, nous pr\u00e9sentons des utilisations des identifiants cryptographiques pour la s\u00e9curisation IPv6. Dans un premier temps, nous abordons la probl\u00e9matique de la lutte contre l’usurpation d’adresses IP source. Nous rappelons les menaces et les techniques existantes aujourd’hui, dont leurs limites, ne pouvant que les att\u00e9nuer. Alors, nous d\u00e9crivons les solutions Source Address Validation Improvements (SAVI), sur lesquelles nous avons contribu\u00e9, qui permettent une am\u00e9lioration de la protection contre l’usurpation d’adresses IP source et qui reposent, entre autres, sur l’utilisation des m\u00e9canismes NDP et SEND. Dans un deuxi\u00e8me temps, nous abordons la s\u00e9curisation au niveau de la couche IPv6 gr\u00e2ce \u00e0 IPsec et en particulier au m\u00e9canisme Internet Key Exchange version 2 (IKEv2) qui permet la configuration dynamique des connexion
\n s IPsec
\n. Ce m\u00e9canisme emploie des m\u00e9thodes d’authentification ayant certaines limites. Nous d\u00e9crivons alors une m\u00e9thode alternative reposant sur l’emploi des adresses CGA ainsi que son impl\u00e9mentation. Nous pr\u00e9sentons finalement un cas concret d’utilisation dans le contexte de MIPv6. Dans un dernier temps, nous nous int\u00e9ressons \u00e0 la s\u00e9curisation de la mise \u00e0 jour dynamique de l’architecture Domain Name System (DNS). Nous montrons que celle-ci souffre de limites, en particulier dans un contexte d’autoconfiguration d’adresses IPv6, et nous proposons une nouvelle solution de s\u00e9curit\u00e9 y rem\u00e9diant. Cette derni\u00e8re est bas\u00e9e sur deux types d’identifiants cryptographiques : l’Identity-Based Cryptography (IBC), o\u00f9 la partie publique d’une paire de cl\u00e9s publique\/priv\u00e9e est l’identit\u00e9, et les adresses CGA. Nous d\u00e9crivons finalement comment nous avons impl&e
\n acute;me
\nnt\u00e9 cette solution. <\/p>\n

Abstract:<\/strong> <\/p>\n

IPv6, next Internet protocol after IPv4, is under deployment in the Internet. It is strongly based on the Neighbor Discovery Protocol (NDP) mechanism. First, it allows two IPv6 nodes to communicate, like the Address Resolution Protocol (ARP) mechanism in IPv4, but it brings new functions too, as IPv6 address autoconfiguration. So, the security of this mechanism is critical for an Internet based on IPv6. The security mechanism standardized by the Internet Engineering Task Force (IETF) is Secure Neighbor Discovery
\n(SEND). It is based on the use of cryptographical identifiers, IPv6 addresses named Cryptographically Generated Addresses (CGA) and generated from a public\/private keys pair, and X.509 certificates. The goal of this PhD thesis is the study of such cryptographical identifiers, CGA addresses, as well as SEND using them, and their potential re-use to secure IPv6.
\nIn a first part of this thesis, we recall the main features of the IPv6 protocol and especially its addressing, which includes the CGA addresses. Next, we describe the NDP mechanism and its use for the IPv6 autoconfiguration. Finally, we recall the protocol providing the IPv6 nodes mobility, Mobile IPv6 (MIPv6).
\nIn a second part of this thesis, we are interested in the reliability of the main known mechanism using the CGA addresses, SEND. First, we describe the security threats of the NDP mechanism and we present SEND specifications. Next, we analyze its limitations and we propose improvements for SEND and CGA addresses.
\nIn a third and last part of this thesis, we present different uses of cryptographical identifiers to secure IPv6. In a first step, we look at protection against source IP address spoofing. We recall current security threats and methods, as well as their limitations, to mitigate them. Then, we describe Source Address Validation Improvements (SAVI) solutions, on which we contributed, that improve the protection against source IP address spoofing. These solutions are based on IPv6 addresses assignment protocols, like NDP and SEND mechanisms. In a second step, we look at the security of the IPv6 layer, provided with IPsec, and especially the Internet Key Exchange version 2 (IKEv2) mechanism that configures dynamically IPsec connections. This mechanism uses authentication methods having limitations. So, we describe a new alternative method based on CGA addresses and its implementation. Finally, we present a concrete use case in the IPv6 mobility context. In a last step, we look at
\n the se
\ncurity of the Domain Name System (DNS) dynamic update. We show this one suffers from limitations in an IPv6 autoconfiguration context and we propose a new method solving them. This method is based on two types of cryptographic identifiers: Identity-Based Cryptography (IBC), where the public part from a public\/private keys pair is the identity itself, and the CGA addresses.<\/p>\n

\n","protected":false},"excerpt":{"rendered":"

vendredi 28 septembre 2012 \u00e0 10h00 en salle A003. \u00ab\u00a0Utilisation d’identifiants cryptographiques pour la s\u00e9curisation IPv6\u00a0\u00bb. Cette th\u00e8se a \u00e9t\u00e9 pr\u00e9par\u00e9e sous la direction du Professeur Maryline Laurent, au sein de l’\u00e9quipe R3S du laboratoire CNRS SAMOVAR et du laboratoire MAPS\/STT\/NDS d’Orange Labs. Composition du jury: – Jean-Marie BONNIN, Professeur HDR, Telecom Bretagne, France (Rapporteur) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[7],"tags":[],"class_list":["post-370","post","type-post","status-publish","format-standard","hentry","category-uncategorized-fr","entry"],"_links":{"self":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/comments?post=370"}],"version-history":[{"count":1,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/370\/revisions"}],"predecessor-version":[{"id":1890,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/posts\/370\/revisions\/1890"}],"wp:attachment":[{"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/media?parent=370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/categories?post=370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/samovar.telecom-sudparis.eu\/index.php\/wp-json\/wp\/v2\/tags?post=370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}