Network Security Security in Wireless Ad Hoc Networks 1 Network Security Chapter 8. Security in Wireless Ad Hoc Networks

Network Security Security in Wireless Ad Hoc Networks 1

Network Security

Chapter 8. Security in Wireless Ad Hoc Networks


Introduction

Routing in Multihop Ad Hoc Networks

Key Establishment and Authentication

Confidentiality and Integrity

–Loopholes

Bluetooth

Objectives


Additional slide for the previous week.


Additional slide for the previous week.


IntroductionWhat is Ad Hoc Network?

What is the characteristic?


Ad Hoc Networks– Network formed on-the-fly (ad hoc, or as-needed basis)

– Mainly refer to Wireless Ad Hoc network

Mobile Ad Hoc Networks(MANETs)– Nodes forming the network are mobile.

Usage scenario

What is Ad Hoc Network?


No dedicated routing devices–Nodes themselves have to act as routers

Network topology may change rapidly and unpredictably as nodes move.

Other things – Battery life, bandwidth.

Limitations


Classification

Geographically–Personal area networks(PANs)

–Wide area networks(WANs)

Node’s capability of acting as router–Single-hop ad hoc network

–Multi-hop ad hoc network – nodes have routing capability.

Normally–PAN – Single hop

–Ad hoc LAN & Ad hoc WAN – multi-hop


Routing in Multi-hop Ad Hoc Networks

Why routings are problem in a Multi-hop Ad Hoc Network?


Distance Vector Routing Updates(FYI)


Distance Vector Routing Updates(FYI)

RIP – Hop Count

IGRP and EIGRP – Bandwidth, Delay, Reliability, Load

No! MTU is never used as a routing

metric. Some documentation is incorrect on this

item.


Distance Vector Routing Protocols-(FYI)

• “Routing by rumor”• Each router receives a routing table from its directly connected

neighbor routers.

• Router B receives information from Router A.

• Router B adds a distance vector number (such as a number of hops), which increases the distance vector.

• Then Router B passes this new routing table to its other neighbor, Router C.

• This same step-by-step process occurs in all directions between neighbor routers.


Distance Vector Routing Protocols-(FYI)


RTA RTB RTCNetwork W Network X Network Y Network Z

Routing Table (Distance) (Vector)Net. Hops Exit-int.W 0 <--X 0 -->

Routing Table (Distance) (Vector)Net. Hops Exit-int.X 0 <--Y 0 -->

Routing Table (Distance) (Vector)Net. Hops Exit-int.Y 0 <--Z 0 -->

Distance Vector Network Discovery-(FYI)


Routing UpdateNet. Hops Next-hop-addW 1 RTAX 1 RTA

Routing UpdateNet. Hops Next-hop-addX 1 RTBY 1 RTB

Routing UpdateNet. Hops Next-hop-addY 1 RTCZ 1 RTC

Routing Update



Routing UpdateNet. Hops Next-hop-addW 1 RTAX 1 RTAY 2 RTA

Routing UpdateNet. Hops Next-hop-addX 1 RTBY 1 RTBW 2 RTBZ 2 RTB

Routing UpdateNet. Hops Next-hop-addY 1 RTCZ 1 RTCX 2 RTC

Routing Table (Distance) (Vector)Net. Hops Exit-int.W 0 <--X 0 -->Y 1 RTBZ 2 RTB

Routing Table (Distance) (Vector)Net. Hops Exit-int.X 0 <--Y 0 -->W 1 RTAZ 1 RTC

Routing Table (Distance) (Vector)Net. Hops Exit-int.Y 0 <--Z 0 -->X 1 RTBW 2 RTB

Routing Table (Distance) (Vector)Net. Hops Exit-int.W 0 <--X 0 -->Y 1 RTB


Routing Table (Distance) (Vector)Net. Hops Exit-int.Y 0 <--Z 0 -->X 1 RTB

ExistingRoutingTables

NewRoutingTables


Routing Update



Routing Table (Distance) (Vector)Net. Hops Exit-int.W 0 <--X 0 -->Y 1 RTBZ 2 RTB


Routing Table (Distance) (Vector)Net. Hops Exit-int.Y 0 <--Z 0 -->X 1 RTBW 2 RTB

RoutingTables


Convergence!


Modify existing link state or distance-vector routing protocol– Existing link state : OSPF

– Existing distance-vector : RIPv2

Periodically distribute routing information.

Based on this information, each router maintains routing table which entries are best paths for a destination network.

Short forwarding delay.

Lots of overhead and battery life – network topology information distribution.

Suitable for a network where the number of nodes is small and nodes have limited mobility.

Proactive Routing


Work by computing a route only when it is needed.

To forward a packet.

1) discover the route to the destination

2) sends out the message.

Saving bandwidth and battery life – do not require periodic transmission of messages.

Long forwarding delays.

Most suitable for a network dynamic topology

A large number of nodes in the network.

Reactive Routing


Hybrid Routing

Combine the advantage of proactive routing and reactive routing

Example : Zone Routing Protocol (ZRP)–Divide the network into zone

–Within a zone (tire-1) – run reactive routing protocols.

–Inter-zone – run proactive routing,

inter zone message – routed via zone gateway.

zone gateway forms tire-2 network.


Routing in ad hoc network is based on cooperation among nodes in the network.

– inherent trust relationship among nodes

–Attractive target for attacks.

Attacking source –External attacks – attack from external nodes (not part of the network)

–Internal attacks – compromised node

Attacking type

–Injecting erroneous routing information

–Replying old routing information

–Distorting routing information

Results–Unintended network partitioning, excessive traffic load, loops in the network, insufficient routing, total collapse of the network

Routing Attacks


Routing Attacks

Internal attacks are more harder to detect – challenging field

–Information is invalid ?

•Network topology change?

•Sending node compromised?

•Compromised node even can generate valid signature.- hard to detect.


Multiple path with sufficient valid nodes–Bypass the compromised nodes.

ARAN (Authenticated Routing for Ad Hoc Networks)–On-demand routing

–PKI-based – signing routing massage using private key.

–Heavy processing overhead

–Does not protect against internal attack from compromised nodes.

SAR (Security-aware Ad Hoc Routing)–Use Symmetric Key Cryptography.

– assign a trust level to each node.

– Nodes at the same trust level shares symmetric key.

– routing message is encrypted/decrypted

Secure routing


Secure Routing Non cryptographic approach – Sergio Marti et al.

–Watchdogs

•Per-link encryption is not applied.

• listen to the next node’s transmission to find out it forwards the packet correctly.

–Pathraters

•Combines the information collected from the watchdogs with the routing table information to select the most robust routing links.

–Weakness

•Hidden node problem – possibility of collision at the watchdog (hidden node) or the receiver. corrupt the information collected by watchdog.

•Does not prevent against internal routing attack (aim to network partition)

•Network partition – break a link between two nodes in the same network in some way.


Key Establishment and Authentication


Basis of most key establishment and authentication schemes for

multi-hop ad networks. PKC & PKI

–use certificate to provide cryptographic service (confidentiality, authentication, data

integrity, non-repudiation)–every node trust a third party (Certificate authority)

Roles of CA in PKI1.Bob CA : request Alice’s Public key.

2.CA Bob: Certificate KiCA{ Alice’s Public key is KWA}

3.Bob : decrypt the certificate (verify the CA’s signature) with CA’s public

key and obtain Alice’s public key.

4.Now Bob trust Alice’s public key.

In Ad Hoc network − distribute CA’s functionality − Define virtual CA.− Use threshold cryptography – threshold secret sharing.

Threshold Secret Sharing


Threshold cryptography

–Divide the system secret into Q parts

–Any S(< Q) of these parts are enough to carry out a cryptographic

operation.

– Q nodes poses shares of the system secret and any S of the

node can work in coalition.

–Ex) the concept of threshold cryptography

• f(x) = ax2 + bx + c.

• f(x) : cryptographic function.

• a, b, c : secret parameter.

• each 5 nodes have a different valid point for a given secret a, b, c

• if 3 nodes points is enough to reconstruct the cryptographic function.



Server in virtual–Initialize securely its share of the system secret.

–A server knows the public key of all nodes which can join the ad hoc network.

Authentication in PKC1.A B : rand

2.B A : EiB(rand)

3.A : decrypt B’s response and compare two rand value.

Authentication in threshold PKC1.A * : request B’s certificate

2.CA server combiner : partial certificate for B

3.Combiner : generate complete certificate with S partial certificate.

4.Combiner A : B’s certificate.



Threshold Secret Sharing (TSS)

How to verify the validity of complete key.–Public key of the virtual CA is known to all nodes.

–Combiner can verify the complete certificate by decrypting the complete certificate.

–If verifying fails, combiner can use another partial certificate.

What if the combiner is compromised?–Assign the role of combiner to a server which is more secure.

–Use multiple combiners.

• To protect against attack over long term period – periodically update the shared secrets.

What was the assumption in the TSS?–Secure initialization of shares secrets on Q servers.

–Each server can be configured securely with the public keys of all nodes which can potentially join the ad hoc network.

–How to reduce the dependency of the system on this assumption? – see text p.209.


After Authentication, perform a suitable key establishment protocol to establish a session key for the confidentiality and integrity service.

Because of limited processing power, most ad hoc would prefer to use stream cipher for encryption and an integrity algorithm. But be careful to use stream cipher in wireless environment.

Confidentiality and Integrity


Bluetooth


Wireless ad hoc networking technology

Operates in the unlicensed 2.4GHz frequency range (Industrial

Scientific and Medical (ISM) band).

Geographical coverage limited to personal areas networks (PAN)

Point-to-point and point-to-multipoint links

Support synchronous and asynchronous traffic

Concentrate on single-hop traffic.

FHSS with GFSK modulation

Low power and low cost given important consideration

Adopted as the IEEE 802.5.1 PHY and MAC standard.

(Wireless Personal Area Network standard )

Features of Bluetooth


Applications of Bluetooth Cell phone

Interconnecting the various components (keyboard, mouse, monitor, ….) of PC.

Imagine your application?


Bluetooth Basics Piconet concept

–one master and up to seven active slaves (8 devices in a cell)

–A device may participate in more than one piconet simultaneously.

Scatternet – joining more than two piconets.

– rare in commercial deployments : routing and timing issue.


Security Modes Only focus on Single-hop piconets in this study

Bluetooth define layer 1 & 2 protocol.

For the wide range application, tried to solve the problem of interoperability.

–Defines application profiles (pf).

Application pf–Defines an unambiguous description of the communication interface between two Bluetooth devices or one particular service or application.

–Basic pf - Fundamental procedure for Bluetooth communication.

–Special pf – defined for distinct service or applications

–Build new pf with existing pf allowing hierarchical pf.


Profiles in Bluetooth Each service or application selects the appropriate pf depending on

its needs.

Each application may have different security requirements

Each pf may define different security modes.

GAP (Generic Access profile)– Discover Bluetooth device

– Link management


Bluetooth Protocol stack


Security Modes

Security mechanism – implemented in Layer 2 link level.

Bluetooth security does not provide end-to-end security.

Dose not deal with application layer security

Implementation–Authentication procedure – must

–Encryption procedure – may or may not

But usages are different aspect–master and slaver decide the use of each procedures


Security Modes

Modes 1 : Unsecured mode–If peer wish to auth. – another peer must respond to the challenge.

–If peer with to enc.- another peer most use enc if it supports it.

Modes 3 : always on security mode–Always initiate authentication

–Encryption is not compulsory term.

–If peer want encryption left to higher layer

Modes 2 : intermediate–All things are left to higher layer security manager.


Security levels Device level : "trusted device" and "untrusted device.“

–Trusted device have unlimited service access

Services security levels:– Services that require authorization and authentication.

– Services that require authentication only.

– Services that are open to all devices


Key Establishment


Pass Key

Top level key = Pass-Key (PKEY), –Variable PKEYs – chosen at the time of pairing

• chosen at the time of pairing

•user enters during pairing process

•Usage scenario : conference room Bluetooth network with notebook.

–Fixed PKEYs

•Preconfigured into the Bluetooth device.

• Usage scenario : network between the headset and cell phone.

– can be as long as 127bits (not specify the exact length)

– PKEY Link Key

• If PKEY is small the dictionary attack is possible.


Initialization Key( KINIT )

Short-lived temporary key.

Used only during the pairing process.


Link Key( LK )

Shed secret when the pairing sequences ends.

Unit link key

–Deprecated because of the security holes.

Combination link key

–Derived from existing link key

• When devices are repeatedly communicate, store this link key to reuse.

• Maintain <remote_device_address, link_key> pairs

–Derived from initialization key( KINIT)

3 source of link key–Use an existing link key.

–Use an existing link key to generate a fresh link key.

–Use the initialization key KINIT to generate a link key.


Combination Link Key Generation

KSTART : existing LK or KINIT


Encryption Key( CK of KC )


Because of export restriction( key size limitation )

• Implemented in hardware using linear feedback andfeed forward registers.

Payload Key (KP)

Constraint Key( Kc’) & Payload Key


Broadcast Key Hierarchy

Unicast : a master a slave

Broadcast : a Master * (with special address)

• overlay key can then be used for conveying the Master Key to each of the slaves.

Temporary key, never reused


E0 : stream cipher

E1,E3, E21, E22 : 128bit block cipher SAFER+ (was a candidate of AES)

The Algorithms


Two party : –Claimant (claims a certain identity), verifier

–Master and slave can acts as verifier depends on the upper layer.

Who is the verifier depends on higher layers

Authentication


ACO : used to generate KC (encryption key).–Serves to link authentication process to rest of the session.

–For mutual authentication two ACOs – last ACO is used in KC gen.

Authentication


Confidentiality


Access code - unencrypted–derived from masters MAC address of a piconet.

–Uniquely identifies a piconet. - Identify the packet for the piconet.

–Used by slave to synchronize their clock to the master’s closk.

Header : not encrypted

Payload : encrypted–CRC is appended before encryption.

–Stream cipher – in a wireless medium, a security loophole.

•Changing the key per packet. – CK-VAL (changes every 625 usec)

Bluetooth Packet Format


CRC – same loopholes as WEP (Chapter 7).

Some Attacks on Bluetooth–Algebraic attack and correlation attack on E0

• frequent payload key change protect correlation attack.

–Packet header no protection – Link Layer Attack.

–Snarf attack – possible to connect to a cell without the knowledge of the owner.

•Can access phone book, calender, clock, IMEI (clone)

–Ericsson, Nokia

–Backdoor attack

–BlueBug

Integrity Protection


Bluetooth – IEEE Potentials

Bluetooth Security White paper – IEEE Bluetooth expert Group.

Security in Bluetooth, WLAN and IrDA: a comparison

Bluetooth Security – with some summary on the attacks

Resources

Documents

Network Security Security in Wireless Ad Hoc Networks 1 Network Security Chapter 8. Security in Wireless Ad Hoc Networks