1 / 25

Ch 6. Security in WMNs

Ch 6. Security in WMNs. Myungchul Kim mckim@icu.ac.kr. Generic security servies. Security technology overview. IEEE 802.11i (Wi-Fi Protected Access: WPA, WPA2) A shared key or AAA server AAA server Extensible authentication protocol (EAP)

stew
Télécharger la présentation

Ch 6. Security in WMNs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ch 6. Security in WMNs Myungchul Kim mckim@icu.ac.kr

  2. Generic security servies Security technology overview

  3. IEEE 802.11i (Wi-Fi Protected Access: WPA, WPA2) A shared key or AAA server AAA server Extensible authentication protocol (EAP) EAP: EAPOL between MS and AP and RADIUS between AP and AAA server Master session key (MSK) Security technology overview

  4. IEEE 802.11i (Wi-Fi Protected Access: WPA, WPA2) Security technology overview

  5. IPsec and virtual private networks Transport layer security protocol (TLS) Secure socket layer (SSL) S/MIME or PGP Security technology overview

  6. Mesh node (MN), user node (UN), mesh user node (MUN) Ad hoc mesh networks: managed or open networks Mesh usage scenarios

  7. Factors distringuishing the usage scenarios Mesh usage scenarios

  8. Single administrative domain Keep the outsiders out Shared key or node certificate Network infrastructure extension The mesh network is used by end users to access the infrastructure network Security of infrasturcture network access by end users and security within the mesh extension itself Mesh federation The MNs forming a mesh netowrk belong to different adminstrative domains (operators) Community mesh Not knowing or even trusting each other Mesh usage scenarios

  9. Ad hoc networks vs WMNs Security challenges Multihop wireless communications Nodes are not physically protected Use of wireless links Dynamic: topology and membership The same security solution may not work for both mesh routers and mesh clients Overview of potential attacks to WMNs External attacks vs internal attacks Passive and active attacks Protocol layers Mesh security issues

  10. Attack types for MANET Impersonation Sinkhole attack Behaving “logical” next hop for forwarding packets and droping them Wormhole attack Use a malicious paths through legitimate means Selfish and greedy behavior attack Increase own share of the common transmission resource Sybil attack A malicious node pretends the identity of several nodes Geographic routing protocols? Sleep deprivation Request services from a certain node over and over again DoS and flooding Mesh security issues

  11. Authentication Hard in WMN because of the open nature of wireless comm. Approaches PSK authentication Certificate authentication How to enable the authentication across different domains? Authentication to roaming UNs? Authentication of MNs ? Examples Wireless Dual Authentication Protocol (WDAP) Secure Unicast Messaging Protocol (SUMP) Mesh security issues

  12. Secure MAC layer IEEE 802.11: nodes that are heavily loaded tend to capture the channel by continually transmitting data thereby causing lightly loaded neighbors to back off again and again. -> unfairness Attacks Flooding attack Jamming attack by jamming the RTS signal Sleep deprivation attack Packet dropping attack Countermeasures to selfish mishbehavior Catch: makes the cooperative neighbors of a selfish node to disconnect it from the rest of the network. Mesh security issues

  13. Countermeasures to greedy mishbehavior The receiver can detect any misbehavior of the sender and penalize it by increasing the back-off value. DOMINO Countermeasures to MAC-layer DoS attacks Single adversary attack and two colluding adversaries Ways Fair MAC protocol Protecting traffic flow Distance adjustment Mesh security issues

  14. Secure routing Threats for ad hoc mesh routing functionality Eavesdropping Sinkhole, wormhole Routing table overflow: attempts to create routes to nonexistent nodes Rushing attack: An attacker forwards RREQs more quickly than legitinate nodes can do so. Thus, … Sleep deprivation Location disclosure Mesh security issues

  15. Secure routing A secure ad hoc mesh routing protocol should fulfill: Certain discovery Isolation: immune to malicious nodes Lighweight computation Location privacy Self-stabilization Byzantine robustness: a stricter version of the self-stabilization property Mesh security issues

  16. Cryptography-based solutions Authenticated ruting for ad hoc networks (ARAN) utilizes cryptographic certificates to achieve authentication and nonrepudiation Secure routing protocol (SRP): a shared key Secure efficient ad hoc distance vector (SEAD): DSDV, hash chains to authenticate hop counts and sequence numbers Secure ad hoc on-demand distance vector routing (SAODV): AODV, digital signatures and hash chains Mesh security issues

  17. Reputation-based solutions The pathrater assesses the results of the watchdog and selects the most reliable path for packet delivery. Add-ons to existing protocols Security-aware ad hoc routing utilizes a security metric for the route discovery and maintenance functions. Countermeasures to specific attacks In best-effort fault tolerant routing, path redundany is used to tolerate misbehavior by using disjoint routes. Mesh security issues

  18. Key management and communications security Key management: supports the establishment and maintenance of keying relationships between authorized parties. How to distribute initial keys? A suitable infrastructure can be used A single stakeholder A public-key infra Security master Mesh security issues

  19. Key management and communications security For routing traffic, options are No security at all Protect integrity of routing messages through a MAC Protect integrity of routing messages through a digital signature in a hop-by-hop mode Protect integrity of routing messages through a digital signature in an end-to-end mode Condifentializty of routing messages For the protection of user data, options are No security at all Secure comm within a group that shares a secret group key Secure end-to-end communication using public-key crptography Mesh security issues

  20. Intrusion detection Use “training” data to determine characteristics of normal routing table updates and normal MAC layer. Mesh security issues

  21. System proposals Tropos 802.1x/EAP-based authentication against a AAA-server (RADIUS) A secure IPsec-based VPN Concrete proposals

  22. Authentication protocols WDAP for IEEE 802.11 WMNs SUMP for sensor networks The overhead at the server side Wireless dual authentication protocol (WDAP) Mitigation of the overhead of 802.11i The authentication is already completed when the UN arrives within the range of the next AP A key caching options to allow the UN and the AP to remember the last used PMK Since both WS and AP are assumed not to trust each other until the AS authenticates both of them. Concrete proposals

  23. Authentication protocols Wireless dual authentication protocol (WDAP) Concrete proposals

  24. Authentication protocols Wireless dual authentication protocol (WDAP) Concrete proposals

  25. Authentication protocols Wireless dual authentication protocol (WDAP) Concrete proposals

More Related