Glenn Emelko
Department of EECS, Case School of Engineering
We are designing a network interface card that can establish a cryptographically
secure channel with a second secure network card, automatically and transparently
to the user. Once established, this channel will be self-monitoring and -maintaining.
The user will be able to selectively control whether a secure connection is
required to a given IP address, and if so the card will block traffic until
such a channel is established.
Protocols exist for public key exchange, however public key cryptography
is not fast enough (at present) for high-speed network traffic. A standard
public key exchange protocol will be used to establish a private session key
on a periodic basis. This will happen without user awareness or intervention.
Once a session key is established, the cards will revert to a high-speed cryptographic
protocol to encode individual packets. Neither of the users of either computer
or someone monitoring traffic between the cards will have enough information
to compromise the security of the channel.
One vital specific aspect of the research will be to investigate the feasibility
and security of using an on-card configurable programmable logic device (CPLD)
or programmable gate array (PGA) as the cryptography engine, entropy source,
and for key generation and exchange.
Applications are widespread. Any users requiring secure communications across
the internet could simply replace their Network Interface Card (NIC) at both
ends and set the card to be in "auto-secure mode" for traffic to
that specific IP address. Other options might only allow specific traffic
once a secure connection has been established, by either individual IP or
by subnet address. The cryptographic protocol will be configurable, allowing
users to trade security level for throughput with known and quantified effects.