College of Science and Engineering | University of Houston ...



CSCI 5931 Project 2

System Design Specification

Project 2

Encryption/Decryption functions for NS-2

Class: CSCI 5931

Section 1

Name:

Sam Tran

Tuan Anh Nguyen

Houston - April 25, 2004

Revision History

|Version |Completion Date |Authors |Description |

|1.0 |04/07/2005 |Sam Tran Phu Manh |Abstract, general design |

| | |Tuan Anh Nguyen | |

| | | | |

| | | | |

| | | | |

| | | | |

|Version |Completion Date |Authors |Description |

|2.0 |04/25/2005 |Sam Tran Phu Manh |Detail design, implementation |

| | | |Simple demonstration |

| | |Tuan Anh Nguyen | |

| | | | |

| | | | |

| | | | |

Acknowledgment

We would like to thank my class mates. During the process of working on the project, we learn many things from them and from their works. We also thank Delta PCLAB for giving us its facility for printing this document.

Finally, we would like to acknowledge our family members for their love, sacrifice and understanding.

Table of content

Acknowledgment 3

I. Problem Statement 5

II. Introduction 6

2.1. Purpose 6

2.2 Scope 6

2.3. Intended Audience 6

III. General Design 7

3.1. Approach 7

3.2. Implementation process 7

IV. Implementation 9

4.1. Detail design 9

4.2. Implementation 10

4.3. Simple demonstration 10

V. Appendix 12

5.1 New protocol source code for NS-2 (c++): 12

5.2 TCL script for simple demonstration 17

VI. Reference Documents 19

Problem Statement

NS-2 is an open source and very popular network simulation system. It provides support for IP protocols suite and many standard routing protocols for wire and wireless networks.

Implementation of security on NS-2 is necessary in network simulation. However, currently, NS-2 does not support these features. Our project will aim to solve this issue.

The purpose of the project is to find a way to add encryption/decryption features into network simulation program NS-2. For the purposes of this analysis, the assumption is that the key is pre-shared and the encryption/decryption algorithm is illustrative.

3 Introduction

1 Purpose

The purpose of this System Design Specification (SDS) document is to describe the design requirements for adding encryption/decryption features into NS-2. This SDS is intended to ensure that the developers and/or implementers produce an application that fulfills SDS. It will also serve as training material for any potential new project members to obtain enough information about the project implementation that they can be efficiently and effectively integrated into the project team.

2 Scope

This design specification document provides the frame work for the implementation process. It is a blueprint from which we implement the system.

Our project is an add-in component. It requires NS-2 version 2.27 already installed in one computer. The encryption and decryption algorithm is only illustrative.

4 Intended Audience

This document is intended for use by the technical members of the project team, including the software developers, system testers, and researchers who need to do experiments with NS-2.

SDS plays a pivotal role in the development and maintenance of software systems. During its lifetime, a given design description is used by project managers, quality assurance staff, configuration managers, software designers, programmers, testers, and maintainers. Each of these users has unique needs, both in terms of required design information and optimal organization of that information. Hence, a design description must contain all the design information needed by those users.

4 General Design

1 Approach

NS-2 is an open source system that is developed using C++ and Tool Control Language TCL. Researchers can freely add new components to the system to server their own purposes. The latest version of NS-2 is version 2.28. Within this version, most of the standard protocols supported. You can find protocol from media access layer protocols such as CSMA/CD up to application protocols as FTP and HTTP. For routing protocols, there are unicast and multicast routing protocols for wire network and DSR, DSDV, AODV for wireless ad-hoc networks. Most of these protocols were developed by researchers and adopted into standard version of NS-2.

In order to experiment security features for network, we need to add security functions into NS-2. Of course for specific experiments there are specific requirements. The purpose of this project is only to illustrate a way to add security functions into NS-2

Our approach is to build a new protocol at network layer – IP layer. We also define new packet format to represent new protocols. The new protocol is represented by a class derived from built-in class in NS-2. Within new derived class we will add encryption and decryption for data field in the data packet. We will also implement message digest generation function to ensure the integrity of data packet during transmission. We consider our data as plain text. The cryptography algorithm is CESAR cipher

The programming language is C++.

Environment development requirements:

- Personal Computer Windows 2000 professional and later.

- Cygwin Unix Simulation

- NS-2 version 2.27

- C/C++ editor.

2 Implementation process

Marc Greis's tutorial shows how to add a new packet protocol to NS-2 (Figure 1). The

new packet class is created in the folder ../apps. After that, the new packet name has

to register to the packet.h. Of course, the makefile has to be modified so that the

new class is complied. At the TCL layer, the new packet must be declared by adding the name and default packet size value to the ns-default.tcl file. Finally, we have to

make an entry for the new packet in the ns-packet.tcl file. After recompile the ns-2,

we can use the new packet for our simulation (Figure 2).

Figure 1: Flow chart of adding new protocol to NS-2

Figure 1: Flow chart of adding new protocol to NS-2

Figure 2: Screen shot of the new packet (Security_packet) on NS-2

We propose to build a new packet class carrying data. The methods of the class include some algorithms of encryption and decryption as well as generate messages digest functions for integrity. Cesar cipher is selected to demo encrypt and decrypt algorithms. The message digest generator is the hash function in C++. (Note: The proposed implementation might be extended based on the requirements of the instructor)

5 Implementation

1 Detail design

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

| |

|Figure 3. Logical design of the encryption/decryption system |

Hash function:

Using a simple hashing algorithm to get hashed value from a string of plain text. The hash value will be attached to packet header for data integrity checking. At the other end of communication, after decryption, the decrypted text will be hashed again to get new hashed value. This new hashed value will be compared to the value attached within packet header. If they are equal, the data integrity is ensured and decrypted text is accepted; otherwise the packet is discarded. In either case, an acknowledge packet will be sent back to sender to inform of the status of the packet.

The algorithm for the hash function can be any kind of algorithm like SHA-1, MD5. Because the shortage of time and the complexity of those algorithms, we chose to implement very simple polynomial algorithm [7] that we collect from the internet.

Encryption/decryption functions:

For encryption and decryption feature we implement CESAR cipher with pre-shared key of 3.

These cryptographic functions take input as a string of plain text and shift the ASCII value of each character in the text three positions. Any encryption/decryption algorithm with symmetric key can be implemented here. Some examples for encryption/decryption algorithms that can be implemented are DES, 3DES, EAS, Blowfish.

2 Implementation

Hash function:

unsigned int Security_packetAgent::hashing(char value[], unsigned int len)

{

char *word = value;

unsigned int ret = 0;

unsigned int i;

for(i=0; i < len; i++)

{

int mod = i % 32;

ret ^=(unsigned int) (word[i]) > (32 - mod);

}

return ret;

}

Encryption function:

void Security_packetAgent::encryption(char out[])

{

int key =3;

int i=0;

for (i=0;iret = 0;

hdr->seq = seq++;

// Store the current time in the 'send_time' field

hdr->send_time = Scheduler::instance().clock();

// copy date to be sent to header

strcpy(hdr->data, argv[2]);

//----------------hashing------------------------

hdr->hashvalue = hashing(hdr->data,(unsigned int)strlen(hdr->data));

printf("Message sent %s with hashing %d\n",hdr->data,hdr->hashvalue);

// ---------- encrypt the data ---------------

encryption(hdr->data);

//-----------------------------------

// Send the packet

send(pkt, 0);

// return TCL_OK, so the calling function knows that

// the command has been processed

return (TCL_OK);

}

else if (strcmp(argv[1], "start-WL-brdcast") == 0) {

Packet* pkt = allocpkt();

hdr_ip* iph = HDR_IP(pkt);

hdr_security_packet* ph = hdr_security_packet::access(pkt);

strcpy(ph->data, "test");

iph->daddr() = IP_BROADCAST;

iph->dport() = iph->sport();

ph->ret = 0;

send(pkt, (Handler*) 0);

return (TCL_OK);

}

else if (strcmp(argv[1], "oneway") == 0) {

oneway=1;

return (TCL_OK);

}

}

// If the command hasn't been processed by SecurityAgent()::command,

// call the command() function for the base class

return (Agent::command(argc, argv));

}

// -- CESAR encryption function ----------

void Security_packetAgent::encryption(char out[])

{

int key =3;

int i=0;

for (i=0;idaddr() == IP_BROADCAST)

{

if (hdr->ret == 0)

{

printf("Recv BRDCAST Security_packet REQ : at %d.%d from %d.%d\n", here_.addr_, here_.port_, hdrip->saddr(), hdrip->sport());

Packet::free(pkt);

// create reply

Packet* pktret = allocpkt();

hdr_security_packet* hdrret = hdr_security_packet::access(pktret);

hdr_cmn* ch = HDR_CMN(pktret);

hdr_ip* ipret = hdr_ip::access(pktret);

hdrret->ret = 1;

// add brdcast address

ipret->daddr() = IP_BROADCAST;

ipret->dport() = ipret->sport();

send(pktret, 0);

}

else

{

printf("Recv BRDCAST security_packet REPLY : at %d.%d from %d.%d\n", here_.addr_, here_.port_, hdrip->saddr(), hdrip->sport());

Packet::free(pkt);

}

return;

}

// end of broadcast mode

if (hdr->ret == 0)

{

// Send an 'echo'. First save the old packet's send_time

double stime = hdr->send_time;

//---------decrypt encrypted packet-------------//

char original_data[128];

char encrypted_data[128];

strcpy(encrypted_data,hdr->data); //copy the data of the original packet

strcpy(original_data,hdr->data);

int rcv_seq = hdr->seq;

//----------------show the encrypted packet at receiving node-----------//

char out[105];

unsigned int newhash;

char authenticate_result[50];

// show encryted data then decrytp it and show

decryption(original_data);

newhash=hashing(original_data,strlen(original_data));

if(newhash==hdr->hashvalue)

{

printf("data intergity ensured\n");

strcpy(authenticate_result,"Message_Accepted");

}

else

{

printf("data modified %d\n",newhash);

strcpy(authenticate_result,"MESSAGE_ERRROR-Integrity violation");

}

sprintf(out, "%s recv %d %3.1f %s %s %d", name(), hdrip->src_.addr_ >> Address::instance().NodeShift_[1],

(Scheduler::instance().clock()-hdr->send_time) * 1000, encrypted_data, original_data,hdr->hashvalue);

Tcl& tcl = Tcl::instance();

tcl.eval(out);

// Discard the packet

Packet::free(pkt);

// Create a new packet

Packet* pktret = allocpkt();

// Access the header for the new packet:

hdr_security_packet* hdrret = hdr_security_packet::access(pktret);

// Set the 'ret' field to 1, so the receiver won't send

// another echo

hdrret->ret = 1;

// Set the send_time field to the correct value

hdrret->send_time = stime;

hdrret->rcv_time = Scheduler::instance().clock();

hdrret->seq = rcv_seq;

strcpy(hdrret->data, authenticate_result);//save data to new packet

// Send the packet back to the originator

send(pktret, 0);

}

else

{

char out[105];

// showing at originator node when packet comes back

sprintf(out, "%s recv %d %3.1f %s _ %d", name(), hdrip->src_.addr_ >> Address::instance().NodeShift_[1],

(Scheduler::instance().clock()-hdr->send_time) * 1000, hdr->data, hdr->hashvalue);

Tcl& tcl = Tcl::instance();

tcl.eval(out);

// Discard the packet

Packet::free(pkt);

}

}

2 TCL script for simple demonstration

#-----------------------------------

# Dated: April 25,2005

# Created: Sam Tran and Tuan Nguyen.

# File name: security_

#-----------------------------------

#Create a simulator object

set ns [new Simulator]

#Define different colors for data flows (for NAM)

$ns color 1 Blue

$ns color 2 Red

#Open a trace file

set nf [open out.nam w]

$ns namtrace-all $nf

#Define a 'finish' procedure

proc finish {} {

global ns nf

$ns flush-trace

close $nf

exec nam out.nam &

exit 0

}

#Create four nodes

set n0 [$ns node]

set n1 [$ns node]

set n2 [$ns node]

set n3 [$ns node]

set n4 [$ns node]

set n5 [$ns node]

#Create links between the nodes

$ns duplex-link $n0 $n2 5Mb 10ms DropTail

$ns duplex-link $n1 $n2 5Mb 10ms DropTail

$ns duplex-link $n2 $n3 1.5Mb 10ms DropTail

$ns duplex-link $n3 $n4 5Mb 10ms DropTail

$ns duplex-link $n3 $n5 5Mb 10ms DropTail

#Set Queue Size of link (n2-n3) to 100

$ns queue-limit $n2 $n3 100

$ns duplex-link-op $n0 $n2 orient right-down

$ns duplex-link-op $n1 $n2 orient right-up

$ns duplex-link-op $n2 $n3 orient right

$ns duplex-link-op $n3 $n4 orient right-up

$ns duplex-link-op $n3 $n5 orient right-down

#Define a 'recv' function for the class 'Agent/Security_packet'

Agent/Security_packet instproc recv {from rtt mess originmess hash} {

$self instvar node_

puts "node [$node_ id] received packet from \

$from with trip-time $rtt ms - contend: $mess - decrypted $originmess -hash: $hash"

}

#Create two security agents and attach them to the nodes n0 and n2

set p0 [new Agent/Security_packet]

$ns attach-agent $n0 $p0

$p0 set class_ 1

set p1 [new Agent/Security_packet]

$ns attach-agent $n1 $p1

$p1 set class_ 1

set p2 [new Agent/Security_packet]

$ns attach-agent $n4 $p2

$p2 set class_ 2

set p3 [new Agent/Security_packet]

$ns attach-agent $n5 $p3

$p3 set class_ 2

#Connect the two agents

$ns connect $p0 $p3

$ns connect $p1 $p2

#Schedule events

for {set i 1} {$i < 2} {incr i} {

set result [expr $i /2]

$ns at $result "$p0 send itisalongmessageIcansend"

$ns at [expr $result + 0.02] "$p1 send Itisashotermessage"

$ns at [expr $result + 0.04] "$p2 send test3"

$ns at [expr $result + 0.06] "$p3 send test4"

}

$ns at 1.0 "finish"

#Run the simulation

$ns run

7 Reference Documents

[1]. SDS Outline, The University of Texas at Austin, 1999.

from the World Wide Web:

[2]. Nguyen Viet Phuong, Vu Tat Dat, Nguyen Anh Tuan, Dinh Ngoc Lan, Elevator Simulation System System Design Specification, 2003.

[3]. Matt Bishop, Computer Security: Art+Science, Publisher Addison Wesley

[4]. Jess Garms and Daniel Somerfield, Professional Java Security ,Wrox Press Ltd.

[5]. Marc Greis (2005). Tutorial for the network simulator ns. Retrieved 3/28/05 from:

[6]. Free Information Society (2005). Hash Table Class. Retrieved 4/4/05 from:

[7] Hash function implemented in C++ with polynomial algorithm. Retrieved 4/14/05 from

.

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download