securing wireless mesh networks yanchao zhang department of electrical & computer engineering...
TRANSCRIPT
Securing Wireless Mesh Networks
Yanchao ZhangDepartment of Electrical & Computer Engineering
New Jersey Institute of Technology
In collaboration with:Professor Yuguang “Michael” Fang
Department of Electrical & Computer EngineeringUniversity of Florida
2007 Network/Computer Security Workshop
Lehigh University, May 2007
2/43
Roadmap
Introduction to wireless mesh networks Necessity, architecture, state of the art
Security issues
Our solutions
Conclusion & future work
3/43
Mesh Networks: why do we need them?
Ubiquitous broadband Internet access
RNC PSDN InternetInternet
Cellular networks
• Wide area coverage (km range)
• Low speed
• High deployment costs
W-CDMA: 384 kb/s ~ 2 Mb/s CDMA2000: 144 kb/s ~ 2.4 Mb/s
4/43
Mesh Networks: why do we need them?
Ubiquitous broadband Internet access
Wireless LAN
Internet
Internet
• Small coverage (up to 300m for 802.11)
• High speed 802.11b: 11 Mb/s, 802.11a/g: 54 Mb/s, 802.11n: 540 Mb/s
• Low deployment costs
5/43
Wireless Mesh Networks (WMNs)
InternetInternet
WiMaxT1/E1
mesh
mesh router
(Akyildiz et al., 2004)
6/43
Merits of Wireless Mesh Networks
High speed
Extended coverage (multi-hop comm.)
Low deployment costs
High robustness (multiple routes)
Simple configuration and maintenance
Good network scalability
…
7/43
Application Scenarios
Broadband home networking
Community and neighborhood networking
Enterprise networking
Metropolitan area networks
Intelligent transportation systems
Security surveillance systems
Building automation
…
8/43
State of the Art
Academia SIGCOMM, INFOCOM, MobiCom, MobiHoc, ICNP, ICDCS,
IEEE JSAC … MIT, CMU, Rice, Georgia Tech, UCSB, UF, Stony Brook …
Industry Microsoft, Intel, Nortel, Nokia, MeshNetworks (Lucent),
Tropos, Kiyon, BelAir, Strix, SkyPilot, MeshDynamics …
Standardization activities IEEE 802.11/15/16
Deployment practices Seattle, New York, San Francisco, London, Rome, Paris…
9/43
Roadmap
Introduction to wireless mesh networks Necessity, architecture, state of the art
Security issues
Our solutions
Conclusion & future work
Other security projects
10/43
Classification
Infrastructure security Security of signaling and data traffic transmitted
over the wireless mesh backbone
Application security Security of mesh clients’ concrete applications
Network access security Security of communications among a mesh router
and mesh clients it serves
11/43
Network Access Security
Why difficult to achieve? Mesh routers are designed to accept open access requests
from most likely unknown mesh clients Open access to wireless channels Multi-hop, cooperative communications Dynamic network topology due to client mobility
InternetInternet
WMN backbone
WMN backbone Our goal
12/43
Network Access Security Issues
Router-client authentication
Router-client key agreement
Client-client authentication
Client-client key agreement
InternetInternet
WMN backbone
WMN backbone Our goal
13/43
Network Access Security Issues
Bogus-beacon flooding attack
Allowing the attacker to Beguile mesh clients into always processing beacons
Impede the Internet access of mesh clients
InternetInternet
WMN backbone
WMN backbone
meshmesh
beacon
bogus beacon
14/43
Network Access Security Issues
Incontestable billing
Location privacy Mesh clients can travel incognito
Secure routing and MAC protocols
When Internet marries multi-hop wireless DoS/DDoS mitigation, worm detection &
prevention, IP traceback, intrusion detection …
15/43
Our Solutions
Router-client authentication
Router-client key agreement
Client-client authentication
Client-client key agreement
Mitigating bogus-beacon flooding attackIncontestable billing
Location privacy
16/43
Network Model
A large-scale WMN comprises many domains Each domain is operated by an independent
network operator of arbitrary scale
Multi-hop uplink A mesh client transmits packets in one hop or
multiple hops to the mesh router
Single-hop downlink The router sends packets in one hop to all clients Merits: save energy of clients; facilitate the
transmission of signaling data …
17/43
Old Home-Foreign Trust Model
Difficult to establish pairwise roaming agreements among numerous WMN operatorsSignificant authentication signaling traffic May invite DoS/DDoS attacks
Long authentication latencyIrresolvable billing disputes
Internet/PSTN
Internet/PSTNForeign
domain
Foreign domain
Home domain
Home domain
trust
roaming agreement
(Used by cellular & mobile IP networks)
18/43
Our Model: Client-Broker-Operator
operator 1 operator n
broker 2broker 1
pass
# of brokers << # of WMN operators
19/43
Merits of Client-Broker-Operator Model
For mesh clients Enjoy single-sign-on on-demand broadband
Internet access from any WMN operator
For WMN operators Just need to trust one or a few brokers Have all mesh clients as potential customers Reduce administration & customer-service costs
For brokers Make profits by imposing transaction/subscription
fees to mesh operators/clients
20/43
Notation
,
,
,
,
,
,
:
:
:
:
:
:
broker
operator
NAI of client of (e.g., Alice@GatorCountry)
electronic pass of client
pass-key corresponding to
NAI of router of (routerID@oi
i k
i kk
i
i
i k
C
C
i k
i
i k
C
i
i
i
k B
C
P
k O
B
O
C
P
K
R
,
,,
,:
:
:
peratorID)
electronic pass of router
pass-key corresponding to
a hash function such as SHA-1i k
i k
i k
iR
RR
kRP
K
h
P
21/43
Public-Key Cryptography (PKC)
Everyone has a unique public/private key pair
Certificate-based PKC (e.g., RSA or DSA) Alice’s public key, pubA, is a random string
Need a certificate binding pubA to Alice
certA := <Alice, pubA, other fields, CA’s signature>
ID-based PKC (by Shamir, 1984) Alice’s pubA can be her publicly known identity
information such as her email address No need for certificates
22/43
The Pairing Technique
1
1
1
1 2
2
1
:
:
,
:
:
two cyclic groups of prime order ( 160 bits)
an arbitrary generator of
hashing inputs to non-zero elements in
(pairing), such that,
G
G G q
W
H G
Gf G G
Pairing parameters <G1, G2, W, H> can be predefined by standards bodies such as IETF, as is done for Diffie-Hellman parameters for use in IPsec
1, , , [1, 1]
( , ) ( , ) ( , ) ( , )
( , ) ( , )
bilinear
symm
(
e ric
)
( )t
b a ab
U V G a b q
f aU bV f aU V f U bV f U V
f U V f V U
23/43
Router Pass (R-PASS)
Operator Oi :
,
, ,
, ,
,
,
1
(1, 1)
: ( ,
: (
router pass
Select a m
(p
aster secret Issue to router
expiry-time)
)
Given < , >, it is
ublic)
pass-key
infea
(private
sbil
)
i
i k
i k i i k
i k i k
O
i k
R i k
R O R
R R
qR
P R
K H P G
P K
1
e to derive , as
the Discrete Logarithm problem is hard in
iO
G
24/43
Client Pass (C-PASS)
Broker Bi :
,
, ,
, ,
,
,
1
(1, 1)
: ( ,
: (
client pass
Select a m
(p
aster secret Issue to client
expiry-time)
)
Given < , >, it is
ublic)
pass-key
infeasbile
(private)
i
i k
i k i i k
i k i k
B
i k
C i k
C B C
C C
qC
P C
K H P G
P K
1
to derive , as
the Discrete Logarithm problem is hard in
iB
G
25/43
Authentication & Key Agreement (AKA)
Inter-domain router-client AKA A client roams from a WMN domain to another
Intra-domain router-client AKA A client roams in the same WMN domain
Client-client AKA Two clients in the same WMN domain perform
AKA
26/43
Inter-Domain Client-Router AKA
1,1
1 1
1,1 1,1( ), ENC
unicast C
O OPC C
P K
1 1
1,1
1 1
1,1 1 1,1
1,1: ( ,
: (
expiry- temporary pass
temporary pass
time)
) ke - y
O OC
O OC O C
P C
K H P
1,11,1 1 1, ( ,, otherInfo,SIG otherInfo)
broadcast RR KP t t
1,11,1 2 2, ( ),SIG
unicast CKCP t t
1,1 1,1, R RP K
1,1R
1,1 1,1, C CP K
1,1C
27/43
Inter-Domain Client-Router AKA
Key agreement
1 1
1,1 1,1 1 1,1 1,1
1
1,1 1 1,1
1
1 1,1 1,1
1
1,1 1,1
( , ( )) ( ( ), ( ))
( ( ), ( )) (
( ( ), ( )) (
( , ( ))
bilinear
symm
)
)etric
O OR C O R C
OR O C
OO C R
OC R
f K H P f H P H P
f H P H P
f H P H P
f K H P
1,1R1,1 1,1
, R RP K1,1C
1 1
1,1 1,1 1,1 1,1, O O
C C C CP K
1
1,1 1,1 1,1( , ( )) O
R R Cf K H P 1
1,1 1,1 1,1 1,1, ( , ( )) OC R C Rf K H P
28/43
Intra-Domain Router-Client AKA
1,21,2 1 1, , , ( ,otherInfo SIG otherInfo)
broadcast RR KP t t
1
1,1 1,2 1,1 1,2C , ( , ( )) OR C Rf K H P
1
1,1 1,21,1 2 1 2 ,, , ( || || )
unicast
OC RC
P t h t t
1,2R
1,2 1,2, R RP K
1,1C
1 1
1,1 1,1, O O
C CP K
29/43
Client-Client AKA
Client-client AKA Two clients ascertain that they are served by the
same WMN domain Two clients establish a shared key to encrypt and
authenticate traffic between them Can be done on demand
30/43
Client-Client AKA
1,1C1 1
1,1 1,1, O O
C CP K2,1C
1 1
2,1 2,1, O O
C CP K
1,1
11,
OC
P r1 1
2,1 1,1 2,1 1,1C , ( , ( )) O OC C Cf K H P
1
2,1 1,12,1 2 1 2 ,, , ( || || )
OC CC
P r h r r
1 1
1,1 2,1 1,1 2,1
1,1 2,1 2,1 1,1
C ,
1 2 C , 1 2 C ,
( , ( ))
? ( || || ) ( || || )
O OC C C
C C
f K H P
h r r h r r
1
1,1 1,21,11 2 ,( || || || )
OC CC
h r r P
1 1
1,1 2,1 1,1 1,1 1,1 2,11 2 C , 1 2 C ,? ( || || || ) ( || || || ) O OC C C Ch r r P h r r P
31/43
Our Solutions
Router-client authentication
Router-client key agreement
Client-client authentication
Client-client key agreement
Mitigating bogus-beacon flooding attack
Incontestable billing
Location privacy
32/43
Bogus-Beacon Flooding Attack
Allowing the attacker to Deceive mesh clients into endless signature verifications to
check authenticity of beacons Impede the network access of mesh clients
Defense: one-way hash chain
InternetInternet
WMN backbone
WMN backbone
meshmesh
beacon
bogus beacon
1,1R
33/43
Defense against Bogus-Beacon Flooding
Router R1,1 Select an integer n and a random secret bn
Compute by= h(by+1), for 1 ≤ y ≤ n-1
Deriving by from by+1 is very efficient, but the opposite is computationally infeasible
1 2 2 1 n n n
h h h h hb b b b b
super beacon intervalst
1b 2nb 1nb nb2b 3b 4b
n
'1b
34/43
Defense against Bogus-Beacon Flooding
1,1At time = ( 1) , router broadcasts beacon:st y R
1,1
1,1
1,1
1
11
( || || )
3. ( )( )
Client
1. Ascertain that has not expired
2. Validate SIG
Check that
case
4. Compare prior fields|| to the receive
1: mutual authentication has not been done
R
R
K s
yy
y
C
P
t b
b h bh b
1, , ,d one
5. Record < > and set bs b c yt b c y b b
1,11,1 1 1, , ( , , , , , ( || )< , , SIG ) otherInfo, prior fields
RR s K s y yP t b t b y b h b
message authentication code
35/43
Defense against Bogus-Beacon Flooding
1,1
1,1
1,1 1 1( , , , ,
( )( )
Client
knows )
1. Ascertain that has not expired
2. Check that and 3. Compute prior fields|| to the rece
case 2: mutual authentication has been done
b
b
b
b c
R
y cb c y
y
C
C t b c b
P
c y b h bh b,
ived one4. Set
bb c yc y b b
1,1At time = ( 1) , router broadcasts beacon:st y R
1,11,1 1 1, , ( , , , , , ( || )< , , SIG ) otherInfo, prior fields
RR s K s y yP t b t b y b h b
message authentication code
36/43
Defense against Bogus-Beacon Flooding
Analysis A router performs one signature generation every n
broadcast beacons A client carries out one signature verification every
n broadcast beacons
super beacon intervalst
1b 2nb 1nb nb2b 3b 4b
n
'1b
37/43
Incontestable Billing
Challenges WMN operators may overcharge Mesh clients may deny the received network services Intermediate clients desire reward for forwarding traffic
Our solution: a real-time hash-chain approach
1,1R 1,1C
38/43
Incontestable Billing
C1,1 Create a one-way hash chain with each hash value associated
with a monetary value x0
Send the signed (b1, x0) to R1,1 as a payment commitment Periodically release hash values in sequence
R1,1
Record the signed (b1, x0) and the last bm s.t. b1=hm-1(bm)
Redeem bm at broker B1 and get paid mx0
1 2 2 1 n n n
h h h h hb b b b b
1,1R 1,1C
39/43
Incontestable Billing
How to pay intermediate clients? C1,1 pays R1,1 what R1,1 and others should get
R1,1 pays each client using the hash-chain approach
Merit: each client just has a payment relationship with R1,1 instead of each of other clients
Analysis Each client must pay in real time to avoid service cutoff He cannot deny the payment due to the signed commitment Operators cannot fake hash values to overcharge clients
1,1R 1,1C
40/43
Location Privacy
Mesh clients prefer to travel incognito Remain anonymous to both visited WMN operators
and potentially malicious eavesdroppers
Solution A client uses dynamic (pass, pass-key) pairs A secure, lightweight way to refresh client
pass/pass-key pairs
41/43
Conclusion
Identified security requirements & challenges in multi-hop wireless mesh networks
Proposed a client-broker-operator trust model
Presented efficient solutions to Router-client and client-client AKA Mitigating bogus-beacon flooding attack Incontestable billing Location privacy
42/43
Future Work
Secure wireless mesh backbone
Secure routing and MAC protocols
When Internet marries multi-hop wireless DoS/DDoS mitigation Worm detection & prevention IP traceback Intrusion detection …
43/43
References Y. Zhang and Y. Fang, “ARSA: An Attack-Resilient
Security Architecture for Multihop Wireless Mesh Networks,” IEEE JSAC, 24(10), Oct. 2006
Y. Zhang and Y. Fang, “A Secure Authentication and Billing Architecture for Wireless Mesh Networks,” ACM Wireless Networks, to appear