A Secured OpenFlow Protocol Using Elliptic Curves Cryptographic for Software Defined Networks

A Software-Defined Network (SDN) architecture was proposed to enhance the performance, flexibility and scalability of networks. However, SDN features such as centralized controlling, network programmability and virtualization present new security challenges to networks. This article will address security challenges related to SDN connection data transfer channels (i.e., control layer and infrastructure layer) and propose a novel connection data transfer channels architecture based on an OpenFlow protocol. Existing SDN OpenFlow protocols rely on higher layer secure mechanisms such as TLS (Transport Layer Security) / SSL (Secure Sockets Layer) sessions. It is concluded that the transfer of secured data using elliptical curve encryption provides a more efficient SDN network. The proposed architecture was implemented in a testbed and its security features were analyzed.


Introduction
Secure Software-Defined Network data transfer between the control layer and infrastructure layer using elliptic curve cryptography is based on encryption and decryption, the proposed security mechanisms on both layers. The SDN architecture comprises three planes: Application layer, Control layer and Infrastructure layer. (APIs) Open Application Programmable Interfaces communicate between the Control and Infrastructure layers.
• Application Layer: The application layer consists of the end-user business applications and other control elements. The limit between the application layers and control layers is transferred by the northbound Open Application Programmable Interfaces (API). The SDN architecture offers different benefits such as control, flexibility, effective fragmentation, network management, network control, low operating cost, low cost plug-in devices, upon request and the provision of resources [1].
• Control Layer: The control layer consists of a centralized controller which provides unified oversight functions. Essentially, the controller supervises the packet forwarding functions of the network through an interface. Additionally, it controls all the network processes such as routing, indoctrination, 2 1234567890 ''"" finishes and billing functions. The OpenFlow protocol is the most widely used control protocol in the SDN domain.
• Infrastructure layer: SDN isolates the control layer from the infrastructure layer of the network. It transfers the network intellect to a centralized controller. Consequently, the infrastructure layer now contains low end switches connected by network links. Wireless access points and the Internet are connected to the infrastructure layer. User traffic is transported through the infrastructure layer. SDN Architecture.

Security of SDN
SDNs are vulnerable to security threats that can be created in different units of the network. Security threats in an SDN network can be separated into four distinct types: 1) Application layer Security, 2) Control layer Security, 3) Infrastructure layer Security 4) Layer communication Security.
SDNs contain two data transfer channels: control layer data transfer and Infrastructure layer data transfer. Thus, the communication security threat can be divided into: (1) Security relating to Control data transfer.
(2) Security relating to Infrastructure data transfer.

Security relating to Control data transfer
The core security issue in relation to Control data transfer is a lack of IP level security. Current SDN control protocols rely on higher layer secure mechanisms such as TLS (Transport Layer Security)/ SSL (Secure Sockets Layer). For example, the widely used OpenFlow protocol uses TLS/SSL based control data transfer [2]. However, higher layer secure mechanisms are extremely vulnerable to IP built attacks such as IP spoofing, Denial-of-service (DoS) and reset attacks [2]. Thus, higher layer defense mechanisms are not able to deliver the required level of durability and security for the Control data transfer [2]. Furthermore, a strong authentication mechanism is required between the controller and Infrastructure data transfer. If this is absent intruders can penetrate valid Infrastructure data transfer and launch security attacks on the Control data transfer. For example, the attacker can insert fake flow requests for performance-related DoS attacks [3]. However, TLS/SSL does not perform strong authentication between layers. For example, the authentication mechanism of TLS/SSL is vulnerable to IP spoofing attacks [2]. Attackers sends requests that consumes server resources to make the controller and Infrastructure unresponsive to legitimate traffic.

BEAST-Browser Exploit Against SSL/TLS attack
The attacker using cipher block chaining.

RC4 preferences in TLS
The attacker can recover the full plaintext when it is repeatedly encrypted in the same, or in several different, terms.

Reset attack
The attacker inserts a sequence of TCP reset requests to prematurely reset the communication session.

POODLE attack
The attacker's forces change the TLS sessions allowing the data to be changed using padding at the end of the block cipher. As a result, encryption codes become less secure each time it is passed.

LUCKY 13
The attacker uses a man-in-the-middle attack to recover the plaintext from a Cipher-block chaining encrypted TLS session.
The network controller is the main component of the SDN network because it comprises central intelligence and controls its functions. Consequently, attacks on the network controller represent the most serious threats to the structure of the SDN. Control data transfer is the only interface that enables a connection between the controller layer and the infrastructure layer. Thus, security in relation to data transfer control is a key factor in ensuring proper communication with the layers. A DoS attack on the SDN controller is presented in [4] in which an attacker, on an ongoing basis, sends IP packets with random headers to the controller through the control data transfer channel. This leaves the controller in an unresponsive state and unable to publish flow rules in the data transfer. TLS is used for optional menu connections in the latest open flow specification due to its complex configuration [5] Configuration is required to generate specific network site certificates and signed machine certificates corresponding to the site-level private keys for controlling and transferring data [6]. Thus, many SDN and equipment vendors omit support for TLS in the infrastructure layer. This leaves the data channel transferring control vulnerable to security attacks. The control channel must therefore be secured using other mechanisms.

Security of the SDN data channel
The current SDN traffic architecture is unencrypted which means attackers can perform the mechanisms of an "SDN scanner" to collect network information [7]. This information can then be used to perform attacks such as DoS, reset, replay and spoofing attacks [8]. Furthermore, the current SDN data transfer channel does not contain any integrity protection mechanism. An attacker could therefore modify the flow of change or destroy the data without being noticed by the network operator. The rotation of data flows may result in a lower quality of service (QoS) between connection layers [7]. The SDN architecture also requires powerful mechanisms for the mutual authentication of the data transmutation channel. However, hackers can impersonate these authentication mechanisms as legitimate converters and inject fraudulent traffic flows to the data level [8]. Using this method, an attacker could exhaust the flow tables and reduce the bandwidth available for the user's traffic [2]. Furthermore, it will also affect the level of control by causing unnecessary flow requests to the controller [8].

Elliptic Curve Cryptosystem
Elliptic curve cryptography (ECC) is one of the public key encryption algorithms and is based on the theory of an elliptical curve on limited fields. It is used to make cryptographic keys smaller, faster and more efficient. The functions and characteristics of elliptic curves have been studied in mathematics for 150 years. [9] Their use in cryptography was suggested for the first time by Neal Koblitz and then Victor Miller in 1985. [10]. ECC has received acceptance in many accredited organizations and in security protocols since the beginning of 1990 [11].

Elliptic Curves
Elliptic curves are mathematical constructs that have been studied by mathematicians from the seventeenth century onwards [12].

Definition: An elliptic curve E over the finite field Fq is defined by equation (1) [13] y 2 = x3 + ax + b,
Where a, b ∈ Fq, and 4a3 + 27b2 ≠ 0 (mod q), together with a special point Ο, termed the point at Infinity.
The set E(Fq) consists of all points (x, y), x, y ∈ Fq, which satisfy the defining equation (2), together with Ο.

Algebraic Elliptic Curves
The essential operation on an elliptic curve is the addition of points on the curve. To perform the addition of points on elliptic curves an algebraic formula is required. The following result provides such a formula [14].

OpenFlow protocol security methods
To increase the security of the network the security of the protocol is increased. The protocol is therefore responsible for protecting the transmission of data in a safe, robust and highly efficient way by using an Elliptic Curve Cryptography algorithm to transfer data. Efficiency and reliability will then be increased for each data transmission. The proposed method for protecting the protocol OpenFlow is to use an Elliptic curve cryptography algorithm that can encrypt and decrypt the data to be transported. Using an Elliptic curve cryptography that allows itself to encrypt and decrypt means a generation key is important as every public key and private key needs to be generated. The sender will encrypt the message with the receiver's public key and the decryption device will then decrypt its key. This will increase efficiency and it is thus useful to have an elliptical curve algorithm that is effective in terms of file size data and encrypted files. This is achieved in the OpenFlow protocol where the protection used in TLS sessions has changed, increasing the security of the user protocol. This method will be useful for military intelligence as it facilitates transfer data by encrypting and decrypting data where only the source and destination can display information.

Encryption Alogrithm
A new group will be defined for encryption. To satisfy the following condition, a and b are selected: ( ) In this case, a and b is smaller than p. Ep (a, b) will represent a group with pair a and b. All pairs satisfying the above conditions will be used for encryption. In general, pairs will be found using the following method.
1. 0 ≤ x < p, compute ( ) 2. Determine whether the above result will have a square root. If it does not, x doesn't exist in Ep. If x exists, y will have two values. Pair x and y will then be used for encryption. Then P + Q are computed as follows: P, Q ∈ Ep (a, b); 1. P + O = P 2. P = (x, y) => P + (x, -y) = O. (x, -y) is reverse element of P.

Encryption and Decryption
If an attacker knows G and KG, he/she can find K. This means the encryption algorithm is stronger with smaller bits.

Security analysis
This occurs when the algorithm has been applied in the emulator for networks NS3.25 and using the OpenFlow Protocol 1.3. It involves a single controller, two switches and two users in an SDN scenario. After changing the TLS sessions in original protocol and using the Elliptic curve cryptography algorithm, the second table and the third table present a comparison between the current method and the proposed method through a calculation given in units of a million instructions per second (MIPS). Thus, the algorithm is novel and strong enough to provide secure data transfer in the OpenFlow protocol used in the architecture of Software Defined Networks.

CONCLUSION
This paper addressed security challenges regarding connection data transfer channels in SDN mechanisms. It proposed a novel and secure method of data transfer from the control layer to infrastructure layer in the OpenFlow protocol, that of Elliptic Curve Cryptography. Reliability and efficiency were expected to increase for each transmission of data, The method increased network security by increasing the security of the protocol used in the Software Defined Network. This was achieved using an elliptic curve algorithm that allows itself to encrypt and decrypt the data that will be transferred and execute active classification. Any node between source and destination can be used to view information.
Finally, the security features and performance of the proposed architecture in NS3.25 simulation was analyzed. The results showed that the use of the proposed algorithm protected communication channels against attacks such as spoofing, DoS, replay, reset and eavesdropping attacks. However,