Pasi Eronen’s research while affiliated with Nokia Research Center (NRC) and other places

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (17)


Energy Consumption of Always-On Applications in WCDMA Networks
  • Conference Paper

May 2007

·

161 Reads

·

75 Citations

Henry Haverinen

·

Jonne Siren

·

Pasi Eronen

Always-on applications, such as push email and voice-over-IP, are characterized by the need to be constantly reachable for incoming communications. In the presence of stateful firewalls or NATs, such applications require "keep-alive" messages to maintain up-to-date connection state in the firewall or NAT, and thus preserve reachability. In this paper, we analyze how these keep-alive messages influence battery lifetime in WCDMA networks. Using measurements in a 3G network, we show that the energy consumption is significantly influenced by the radio resource control (RRC) parameters and the frequency of keep-alive messages. The results suggest that especially UDP-based protocols, such as mobile IPv4 and IPsec NAT traversal mechanisms, require very frequent keep-alives that can lead to unacceptably short battery lifetimes.


Figure 1: Reconnecting an existing SSH session.  
Figure 2: Reconnection procedure in TLS.  
Figure 4: SSH processes involved in reconnecting a ses- sion.  
Resilient Connections for SSH and TLS.
  • Conference Paper
  • Full-text available

January 2006

·

607 Reads

·

17 Citations

Disconnection of an SSH shell or a secure application session due to network outages or travel is a familiar problem to many Internet users today. In this paper, we extend the SSH and TLS protocols to support re- silient connections that can span several sequential TCP connections. The extensions allow sessions to survive both changes in IP addresses and long periods of discon- nection. Our design emphasizes deployability in real- world environments, and addresses many of the chal- lenges identified in previous work, including assump- tions made about network middleboxes such as firewalls and NATs. We have also implemented the extensions in the OpenSSH andPureTLSsoftware packagesand tested them in practice.

Download

Quick NAP-secure and efficient network access protocol

January 2006

·

49 Reads

·

15 Citations

·

Pasi Eronen

·

·

[...]

·

Anand Prasad

Current network access protocol stacks consist of a number of layers and components that are only loosely aware of each other. While this provides flexibility, it also results in a number of limitations, including high signaling latency due to duplicated tasks at multiple layers, vulnerabilities, and deployment problems when new components and protocols are added. Most of currently ongoing work attempts to improve the network access protocols through enhancements in different parts of the stack, such as network access authentication or mobility protocols. This paper takes a "clean slate" approach by focusing on opportunities that arise when the network access problem is viewed as a whole as opposed to focusing on a single layer. By taking this cross-layer viewpoint, it is possible to design a stack that significantly reduces the number of roundtrips, can be operated securely in ad hoc networks, and allows the secure integration of new features such as firewalls or quality of service signaling.


Implications of Unlicensed Mobile Access (UMA) for GSM security

October 2005

·

127 Reads

·

18 Citations

Despite its imperfections, GSM security has stood well the test of time. In part, this security success has relied on closed platforms that prevent the end-user from tampering with the GSM protocol stacks. While it is possible to build phones that do not have such restrictions, this is difficult due to, e.g., legislation and technical complexity. Unlicensed Mobile Access (UMA) is a new technology that provides access to GSM services over Wireless LAN or Bluetooth. It also challenges the assumption of closed platforms, since it is relatively easy to implement a UMA phone purely in software running on standard PC hardware and operating systems. This paper examines the security implications of UMA for GSM security, focusing especially on the impact of open terminal platforms. We identify several areas where open platforms may increase risks to both honest users and network operators, and propose countermeasures for mitigating these risks.


Authentication Components: Engineering Experiences and Guidelines

April 2004

·

31 Reads

Lecture Notes in Computer Science

Security protocols typically employ an authentication phase followed by a protected data exchange. In some cases, such TLS, these two phases are tightly integrated, while in other cases, such as EAP (Ex- tensible Authentication Protocol) and Kerberos, they are separate and often implemented in different endpoints. However, careless application of this separation has lead to several vulnerabilities. In this paper we dis- cuss reasons why this separation is often useful, what mistakes have been made, and what these mistakes have in common. We then describe some approaches how these problems could be avoided, especially focusing on EAP in wireless LANs. We also present some engineering observations that should be taken into account when designing reusable authentica- tion components in the future.


Authentication Components: Engineering Experiences and Guidelines (Transcript of Discussion)

April 2004

·

7 Reads

Lecture Notes in Computer Science

My talk is on authentication components. What I mean by an authentication component is basically a reusable building block. I’m talking about building blocks in a strictly engineering sense (there is very little novel cryptograph use involved), building blocks that are useful to system designers when they’re designing a system and need a protocol for doing something, and they don’t want to reinvent all the cryptographic stuff themselves. Usually they are not experts in that either, so it’s a good thing that they don’t always reinvent things from scratch.





An Expert System for Analyzing Firewall Rules

December 2001

·

267 Reads

·

134 Citations

When deploying firewalls in an organization, it is essential to verify that the firewalls are configured properly. The problem of finding out what a given firewall configuration does occurs, for instance, when a new network administrator takes over, or a third party performs a technical security audit for the organization. While the problem can be approached via testing, non-intrusive techniques are often preferred. Existing tools for analyzing firewall configurations usually rely on hard-coded algorithms for analyzing access lists. In this paper we present a tool based on constraint logic programming (CLP) which allows the user to write higher level operations for, e.g., detecting common configuration mistakes. Our tool understands Cisco router access lists, and it is implemented using Eclipse, a constraint logic programming language. The problem of analyzing firewall configurations lends itself quite naturally to be solved by an expert system. We found it surprisingly easy to use logic statements to express knowledge on networking, firewalls, and common configuration mistakes, for instance. Using an existing generic inference engine allowed us to focus on defining the core concepts and relationships in the knowledge base. 1


Citations (12)


... An alternative to employing separate attachment protocols in each layer is to utilize a cross-layer design. This approach, presented in [12], and further explored in a number of other papers (e.g. [13]–[15]), has some advantages compared to using separate mechanisms on each layer. ...

Reference:

Attachment to a Native Publish/Subscribe Network
Secure and Efficient Network Access

... Moreover, network architectures in the name of backward compatibility and incremental upgrades are supported from the beginning with multi-layered design. Thus, wireless networks by themselves are insecure and the media that they use, impose each and every network layer to perform similar authentication and authorization security mechanisms [2], [3]. In pure mobility cases, the above implementation is simply inefficient. ...

Quick NAP-secure and efficient network access protocol
  • Citing Article
  • January 2006

... The power state transition introduces significant communication latency and it degrades the performance, limiting its accuracy. Keep-Alive messages are needed to generate enough traffic for the connection to avoid idle states [46]. The achievable accuracy is within tens of ms ( [46], [47]) with strong constraints on the power consumption and operational modes of the cellular radio. ...

Energy Consumption of Always-On Applications in WCDMA Networks
  • Citing Conference Paper
  • May 2007

... The security concerns (Grech and Eronen, 2005) are for unauthorized access and identity spoofing, whereby a virus/ trojan horse from the user's PC can gain access to the SIM/ phone through Bluetooth, and make "free" use of service. Exploitation of implementation weakness, also being an issue whereby buffer overflows, could be adjusted to send malformed inputs and thus try to discover and exploit vulnerabilities in the network. ...

Implications of Unlicensed Mobile Access (UMA) for GSM security
  • Citing Conference Paper
  • October 2005

... Although several papers [4]- [6] propose resource discovery protocols for dynamically changing environments, they do not address the impact of the protocol on issues like scalability, performance, and battery power optimization. For service discovery, some researchers have followed the insecure service discovery protocol in which each device in the network can access the services offered by other devices. ...

Decentralized Jini Security
  • Citing Article
  • December 2000