560 likes | 735 Vues
Network Security. Chapter 8. Security in Wireless Ad Hoc Networks. Objectives. Introduction Routing in Multihop Ad Hoc Networks Key Establishment and Authentication Confidentiality and Integrity Loopholes Bluetooth. Additional slide for the previous week.
E N D
Network Security Chapter 8. Security in Wireless Ad Hoc Networks
Objectives • Introduction • Routing in Multihop Ad Hoc Networks • Key Establishment and Authentication • Confidentiality and Integrity • Loopholes • Bluetooth
IntroductionWhat is Ad Hoc Network?What is the characteristic?
What is Ad Hoc Network? • Ad Hoc Networks • Network formed on-the-fly (ad hoc, or as-needed basis) • Mainly refer to Wireless Ad Hoc network • Mobile Ad Hoc Networks(MANETs) • Nodes forming the network are mobile. • Usage scenario
Limitations • No dedicated routing devices • Nodes themselves have to act as routers • Network topology may change rapidly and unpredictably as nodes move. • Other things – Battery life, bandwidth.
Classification • Geographically • Personal area networks(PANs) • Wide area networks(WANs) • Node’s capability of acting as router • Single-hop ad hoc network • Multi-hop ad hoc network – nodes have routing capability. • Normally • PAN – Single hop • Ad hoc LAN & Ad hoc WAN – multi-hop
Routing in Multi-hop Ad Hoc NetworksWhy routings are problem in a Multi-hop Ad Hoc Network?
Distance Vector Routing Updates(FYI) • RIP – Hop Count • IGRP and EIGRP – Bandwidth, Delay, Reliability, Load No! MTU is never used as a routing metric. Some documentation is incorrect on this item.
Distance Vector Routing Protocols-(FYI) • Router B receives information from Router A. • Router B adds a distance vector number (such as a number of hops), which increases the distance vector. • Then Router B passes this new routing table to its other neighbor, Router C. • This same step-by-step process occurs in all directions between neighbor routers. • “Routing by rumor” • Each router receives a routing table from its directly connected neighbor routers.
Distance Vector Network Discovery-(FYI) Routing Update
Distance Vector Network Discovery-(FYI) Routing Update
Distance Vector Network Discovery-(FYI) Convergence!
Proactive Routing • Modify existing link state or distance-vector routing protocol • Existing link state : OSPF • Existing distance-vector : RIPv2 • Periodically distribute routing information. • Based on this information, each router maintains routing table which entries are best paths for a destination network. • Short forwarding delay. • Lots of overhead and battery life – network topology information distribution. • Suitable for a network where the number of nodes is small and nodes have limited mobility.
Reactive Routing • Work by computing a route only when it is needed. • To forward a packet. • discover the route to the destination • sends out the message. • Saving bandwidth and battery life – do not require periodic transmission of messages. • Long forwarding delays. • Most suitable for a network • dynamic topology • A large number of nodes in the network.
Hybrid Routing • Combine the advantage of proactive routing and reactive routing • Example : Zone Routing Protocol (ZRP) • Divide the network into zone • Within a zone (tire-1) – run reactive routing protocols. • Inter-zone – run proactive routing, inter zone message – routed via zone gateway. zone gateway forms tire-2 network.
Routing Attacks • Routing in ad hoc network is based on cooperation among nodes in the network. • inherent trust relationship among nodes • Attractive target for attacks. • Attacking source • External attacks – attack from external nodes (not part of the network) • Internal attacks – compromised node • Attacking type • Injecting erroneous routing information • Replying old routing information • Distorting routing information • Results • Unintended network partitioning, excessive traffic load, loops in the network, insufficient routing, total collapse of the network
Routing Attacks • Internal attacks are more harder to detect – challenging field • Information is invalid ? • Network topology change? • Sending node compromised? • Compromised node even can generate valid signature.- hard to detect.
Secure routing • Multiple path with sufficient valid nodes • Bypass the compromised nodes. • ARAN (Authenticated Routing for Ad Hoc Networks) • On-demand routing • PKI-based – signing routing massage using private key. • Heavy processing overhead • Does not protect against internal attack from compromised nodes. • SAR (Security-aware Ad Hoc Routing) • Use Symmetric Key Cryptography. • assign a trust level to each node. • Nodes at the same trust level shares symmetric key. • routing message is encrypted/decrypted
Secure Routing • Non cryptographic approach – Sergio Marti et al. • Watchdogs • Per-link encryption is not applied. • listen to the next node’s transmission to find out it forwards the packet correctly. • Pathraters • Combines the information collected from the watchdogs with the routing table information to select the most robust routing links. • Weakness • Hidden node problem – possibility of collision at the watchdog (hidden node) or the receiver. corrupt the information collected by watchdog. • Does not prevent against internal routing attack (aim to network partition) • Network partition – break a link between two nodes in the same network in some way.
Threshold Secret Sharing • Basis of most key establishment and authentication schemes for multi-hop ad networks. • PKC & PKI • use certificate to provide cryptographic service (confidentiality, authentication, data integrity, non-repudiation) • every node trust a third party (Certificate authority) • Roles of CA in PKI • Bob CA : request Alice’s Public key. • CA Bob: Certificate KiCA{ Alice’s Public key is KWA} • Bob : decrypt the certificate (verify the CA’s signature) with CA’s public key and obtain Alice’s public key. • Now Bob trust Alice’s public key. • In Ad Hoc network • distribute CA’s functionality • Define virtual CA. • Use threshold cryptography – threshold secret sharing.
Threshold Secret Sharing • Threshold cryptography • Divide the system secret into Q parts • Any S(< Q) of these parts are enough to carry out a cryptographic operation. • Q nodes poses shares of the system secret and any S of the node can work in coalition. • Ex) the concept of threshold cryptography • f(x) = ax2 + bx + c. • f(x) : cryptographic function. • a, b, c : secret parameter. • each 5 nodes have a different valid point for a given secret a, b, c • if 3 nodes points is enough to reconstruct the cryptographic function.
Threshold Secret Sharing • Server in virtual • Initialize securely its share of the system secret. • A server knows the public key of all nodes which can join the ad hoc network. • Authentication in PKC • A B : rand • B A : EiB(rand) • A : decrypt B’s response and compare two rand value. • Authentication in threshold PKC • A * : request B’s certificate • CA server combiner : partial certificate for B • Combiner : generate complete certificate with S partial certificate. • Combiner A : B’s certificate.
Threshold Secret Sharing (TSS) • How to verify the validity of complete key. • Public key of the virtual CA is known to all nodes. • Combiner can verify the complete certificate by decrypting the complete certificate. • If verifying fails, combiner can use another partial certificate. • What if the combiner is compromised? • Assign the role of combiner to a server which is more secure. • Use multiple combiners. • To protect against attack over long term period – periodically update the shared secrets. • What was the assumption in the TSS? • Secure initialization of shares secrets on Q servers. • Each server can be configured securely with the public keys of all nodes which can potentially join the ad hoc network. • How to reduce the dependency of the system on this assumption? – see text p.209.
Confidentiality and Integrity • After Authentication, perform a suitable key establishment protocol to establish a session key for the confidentiality and integrity service. • Because of limited processing power, most ad hoc would prefer to use stream cipher for encryption and an integrity algorithm. But be careful to use stream cipher in wireless environment.
Features of Bluetooth • Wireless ad hoc networking technology • Operates in the unlicensed 2.4GHz frequency range (Industrial Scientific and Medical (ISM) band). • Geographical coverage limited to personal areas networks (PAN) • Point-to-point and point-to-multipoint links • Support synchronous and asynchronous traffic • Concentrate on single-hop traffic. • FHSS with GFSK modulation • Low power and low cost given important consideration • Adopted as the IEEE 802.5.1 PHY and MAC standard. (Wireless Personal Area Network standard )
Applications of Bluetooth • Cell phone • Interconnecting the various components (keyboard, mouse, monitor, ….) of PC. • Imagine your application?
Bluetooth Basics • Piconet concept • one master and up to seven active slaves (8 devices in a cell) • A device may participate in more than one piconet simultaneously. • Scatternet – joining more than two piconets. • rare in commercial deployments : routing and timing issue.
Security Modes • Only focus on Single-hop piconets in this study • Bluetooth define layer 1 & 2 protocol. • For the wide range application, tried to solve the problem of interoperability. • Defines application profiles (pf). • Application pf • Defines an unambiguous description of the communication interface between two Bluetooth devices or one particular service or application. • Basic pf - Fundamental procedure for Bluetooth communication. • Special pf – defined for distinct service or applications • Build new pf with existing pf allowing hierarchical pf.
Profiles in Bluetooth • Each service or application selects the appropriate pf depending on its needs. • Each application may have different security requirements • Each pf may define different security modes. • GAP (Generic Access profile) – Discover Bluetooth device • Link management
Security Modes • Security mechanism – implemented in Layer 2 link level. • Bluetooth security does not provide end-to-end security. • Dose not deal with application layer security • Implementation • Authentication procedure – must • Encryption procedure – may or may not • But usages are different aspect • master and slaver decide the use of each procedures
Security Modes • Modes 1 : Unsecured mode • If peer wish to auth. – another peer must respond to the challenge. • If peer with to enc.- another peer most use enc if it supports it. • Modes 3 : always on security mode • Always initiate authentication • Encryption is not compulsory term. • If peer want encryption left to higher layer • Modes 2 : intermediate • All things are left to higher layer security manager.
Security levels • Device level : "trusted device" and "untrusted device.“ • Trusted device have unlimited service access • Services security levels: • Services that require authorization and authentication. • Services that require authentication only. • Services that are open to all devices
Pass Key • Top level key = Pass-Key (PKEY), • Variable PKEYs – chosen at the time of pairing • chosen at the time of pairing • user enters during pairing process • Usage scenario : conference room Bluetooth network with notebook. • Fixed PKEYs • Preconfigured into the Bluetooth device. • Usage scenario : network between the headset and cell phone. • can be as long as 127bits (not specify the exact length) • PKEY Link Key • If PKEY is small the dictionary attack is possible.
Initialization Key( KINIT ) • Short-lived temporary key. • Used only during the pairing process.
Link Key( LK ) • Shed secret when the pairing sequences ends. • Unit link key • Deprecated because of the security holes. • Combination link key • Derived from existing link key • When devices are repeatedly communicate, store this link key to reuse. • Maintain <remote_device_address, link_key> pairs • Derived from initialization key( KINIT) • 3 source of link key • Use an existing link key. • Use an existing link key to generate a fresh link key. • Use the initialization key KINIT to generate a link key.
Combination Link Key Generation • KSTART : existing LK or KINIT
Constraint Key( Kc’) & Payload Key • Because of export restriction( key size limitation ) • Implemented in hardware using linear feedback andfeed forward registers. • Payload Key (KP)
Broadcast Key Hierarchy • Unicast : a master a slave • Broadcast : a Master * (with special address) • overlay key can then be used for conveying the Master Key to each of the slaves. • Temporary key, never reused
The Algorithms • E0 : stream cipher • E1,E3, E21, E22 : 128bit block cipher SAFER+ (was a candidate of AES)
Authentication • Two party : • Claimant (claims a certain identity), verifier • Master and slave can acts as verifier depends on the upper layer. Who is the verifier depends on higher layers
Authentication • ACO : used to generate KC (encryption key). • Serves to link authentication process to rest of the session. • For mutual authentication two ACOs – last ACO is used in KC gen.