Secure Multi-Hop Infrastructure Access presented by Reza Curtmola (joint work with B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens) 600.647 – Advanced Topics in Wireless Networks
Wireless Infrastructure Access • Few pure wireless peer to peer apps yet (primarily emergency deployments) • Un-tethered infrastructure access has been the wireless killer app (countless variations) – Voice communication – Internet access – Local area network access – Data gathering sensor networks – Peripherals (headphones, mice, keyboards)
Single-Hop vs. Multi-Hop • Advantages • Advantages – Increased Coverage – Well established – Enhanced performance – Lower Complexity – Reduced Deployment • Issues Cost – Limited coverage – Overall Flexibility • Range • Challenges • Quality (gaps) – Routing protocol – Mobility – Scalability
Infrastructure Access Security • Single-Hop – Many years to develop current state of the art • 1997 – WEP • 2003 – WPA • 2004 – 802.11i / WPA2 – Still outstanding issues? (see NDSS 2004 paper) • Multi-Hop – Introduces a set of additional security concerns – Existing work focuses only on the security of the ad hoc scenario
Network Model Gateway Authorized Node Adversary Revoked Node
Protocol Design Goals • Security comparable to single-hop state of the art protocols • Additional protection against multi-hop routing attacks – Black Hole – Flood Rushing – Wormhole • Efficient protocol operation – Symmetric cryptography – Scalable user management
Adversarial Model • Access Point – is trusted – able to establish trust relationships with authorized nodes • Authenticated nodes are trusted to perform the protocol correctly • Adversaries are unauthenticated nodes – Perform arbitrary attacks (e.g. drop, inject or modify packets) – May collude to perform stronger attacks (e.g. tunnel packets)
Our Solution • Take an existing solution: Pulse protocol [Infocom ‘04, Milcom ‘04, WONS ‘05] – Multi-hop routing protocol – Optimized for many-to-one communication pattern – High Scalability • Mobility • Number of nodes • Number of flows • Build security mechanisms into it
Pulse Protocol Example
Pro-active Spanning Tree
Node Wishes to Communicate
Sends Packet to Gateway
Cryptographic Protection • Participating nodes share a network wide symmetric key NSK – Used to secure the routing service – Established and maintained using a broadcast encryption scheme (BES) • Source and destination use per flow unicast key (UK) to protect data payload seq routing data payload HMAC NSK number headers E NSK E UK
Secure Reliability Metric • Secure ACKs are required for each data packet traversing a link • Protocol gathers history of ACK failures • Link weights inversely proportional to reliability • Strategy is similar to ODSBR [WiSe ’02]
Network Model Gateway Authorized Node Adversary Revoked Node
Adversarial Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3 2 2 2 3 3 3
Adversarial Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3 2 2 2 3 3 3
Adversarial Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3 1 2 2 2 3 3 3
Adversarial Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3 1 2 2 2 3 3 3
Adversarial Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3 1.1 2 2 2 3 3 3
Adversarial Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3 1 1.1 2 2 2 3 3 3
Wormhole Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3 2 2 2 3 3 3
Wormhole Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 1 3 2 2 2 1 2 3
Wormhole Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 1.1 … 3 2 2 2 1 2 3
Wormhole Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3.1 3 2 2 2 1 2 3
Wormhole Avoidance Example 2 2 2 1 Gateway 1 2 1 1 2 3.1 3 2 2 2 3 3 3
Attack mitigation • Injecting, modifying packets – use of NSK • Replay attack – use of nonces • Flood rushing – protocol relies on the metric, and not on timing information • Black hole – unreliable links are avoided using metric • Wormhole – creation is not prevented, but it is avoided using metric
Key Management • Assumption: each node has a unique pre-established shared key PSK with the gateway Automatically generated Manually entered as in by interaction with an WEP or WPA / WPA2 or authentication server as personal mode in 802.1x / EAP • Goal: to efficiently manage the Network Shared Key (NSK) – Selected and maintained by the gateway – Add/revoke users – Periodically refreshed
Broadcast Encryption Scheme • Center broadcasts a message • Only a subset of privileged (non-revoked) users can decrypt it • Our requirements: – Allows unbounded number of broadcasts – Any subset of users can be defined as privileged – A coalition of all revoked users cannot decrypt the broadcast
Subset Cover Framework • CS or SD [Crypto ’01], LSD [Crypto ’02] • The set of privileged users is represented as the union of s subsets of users • A long-term key is associated with each subset • A user knows a long-term key only if he belongs to the corresponding subset • Center encrypts message s times under all the keys associated with subsets in the union • LSD Properties – Each node stores O(log 3/2 (n)) keys – O(r) message size – O(log(n)) computation at each node
Node Management • Node addition – Using PSK, a node obtains from the gateway the current NSK and the set of secrets for the BES • Node revocation / NSK refresh – Gateway generates a new NSK – Gateway broadcasts encrypted NSK such that only non-revoked nodes are able to decrypt it – Scalability advantage over Group Key management in 802.11i which is O(n)
Complete Subtree 1 1 2 3 3 2 5 6 6 7 4 7 10 11 8 9 12 12 13 14 15 U 4 U 1 U 2 U 3 U 5 U 6 U 7 U 8 • Broadcast: E K2 (KEK), E K7 (KEK), E K12 (KEK), E KEK (NSK’)
Conclusion • Protocol provides multi-hop infrastructure access • Efficient, lightweight security – Entirely based on symmetric cryptography – Prevents a wide variety of attacks – Leverages infrastructure for trust establishment
Real World Implementation • Completed Features – Linux Kernel Module with 2.4 and 2.6 compatibility • Operates at layer 2 • Distributed virtual switch architecture provides seamless bridging – Pulse Protocol • Shortcuts and gratuitous reply • Instantaneous loop freedom • Fast parent switching (with loop freedom) • Medium Time Metric route selection metric (WONS 2004) – 50 Nodes deployed across JHU Campus • Tested with Internet Access, Ad hoc Access Points, Voice over IP • Mobility tested at automobile speeds • In Progress – Security – (NDSS Workshop 2005) • Flood Rushing, Wormholes, Black holes, any NON-Byzantine attack • In kernel crypto implementation – Leader Election Algorithm • Fault tolerance, switches pulse source to most accessed destination • Handle merge and partition – Efficient Tree Flooding • Similar to expanding ring search but with no duplicates
Recommend
More recommend
