研 究 生:蔡憲邦 指導教授:柯開維 博士 design of efficient and secure multiple...
Post on 19-Dec-2015
230 views
TRANSCRIPT
研 究 生:蔡憲邦指導教授:柯開維 博士
Design of Efficient and Secure Multiple Wireless Mesh Network
具安全性及自我組織能力的無線網狀網路
2005/7/15 2
Outline
Introduction Background Design a Secure WMN Security Analysis Conclusion
2005/7/15 3
Introduction (1/2)
Wireless Mesh Network Properties. Security Problem.
Wireless Security Problem Attacks. Secure solution.
2005/7/15 4
Introduction (2/2)
This thesis Tree topology Define the WMN’s basic functions Security issue Compare with other security issue
2005/7/15 5
Wireless Mesh Network (WMN)
Full & Partial mesh network. Omni directional & directional. Benefit:
Reduction of install cost Large-scale depolyment (last mile) Reliability Self-management
2005/7/15 6
WMN’s Architecture
Wireless Gateway
Access Point
Mobile
Wired Network
Wireless Gateway
AP
AP
Mobile
Mobile
Mobile
Mobile
2005/7/15 7
Wireless Security
Wireless Environment Open media Unlicensed ISM band
Wireless Attacks Infrastructure Ad hoc
2005/7/15 8
Wireless Attacks
Infrastructure Insertion Interception and Monitoring Jamming
Ad hoc Black hole Impersonation
2005/7/15 9
Wireless Security Solutions
Main Purposes Authentication Data encryption
Infrastructure WEP IEEE 802.1x
Ad hoc Share Key Public Key
Infrastructure (PKI)
2005/7/15 10
WEP
Wired Equivalent Privacy Integrity & Encryption Drawbacks:
Key size is too small (only 40 bits) Key Sequence Reuse (Initial Vector) Message can’t be Authenticated
2005/7/15 11
IEEE 802.1x (1/2)
Provide network access authentication.
Supplicant, Authenticator and Authentication Server.
Drawback: One-way authentication. Not protect authentication.
2005/7/15 12
IEEE 802.1x (2/2)Supplicant Authenticator Authentication Server
Authentication
Association
EAP req
EAP res
forward(unicast,Auth_message)
req_auth(unicast,auth_info)
req_auth(auth_info)
res_auth(auth_info)
res_success
session key exchange
EAPOL start
2005/7/15 13
Share Key
Use one key to authenticate and encryption in ad hoc network.
Drawbacks: Only one key Non-repudiation Key management
2005/7/15 14
Public Key Infrastructure
Key feature of public key cryptosystem Two keys: Public Key & Private Key Computational infeasible to
determine decryption key. Drawbacks
Certificate Authority (CA) Spend a lot of time to en/decrypt.
2005/7/15 15
Outline
Introduction Background Design a Secure WMN Security Analysis Conclusion
2005/7/15 16
The Properties of WMN
Similar to ad hoc network AP should select a routing path. The routing path is always fix.
Most data are sent to WG. My propose: Tree Topology.
2005/7/15 17
Tree Topology
A
B
C
D
E
F
G
H
I
J
A
B
C
D
E
F
G
H
I
J
(a) (b)
2005/7/15 18
WMN’s Relationship Supplicant Authentication Agent
Manage supplicants Help supplicant to
authenticate. Management System
Authentication server Maintain WMN
(b)
A
Authentication Agent
Supplicant
D
E
F
G
H
I
JManagement system(MS)
2005/7/15 19
Locally Secure Management
Different path, different secure channel.
AA only maintain his supplicants. Session key Authentication
a
b c
d e f g
h
(1) (2)
(3) (4) (5) (6)
(7)
d
(8)
d d
(9) (10)
2005/7/15 20
Two functions of WMN
Self-Organization When a new AP joins...
Self-Configuration Self-healing
When a AP occurs failure… Self-reconfiguration
When a AP not neighbor joins or fails…
2005/7/15 21
Self-OrganizationSupplicant Authentication Agent Management System
1.Req_Start(broadcast)
2.Resp_Start(unicast,infos)
3.Req_Join(unicast,join_message)
5.Req_Join_f(unicast,join_message)
6.Resp_join_f(unicast,auth_infos)
7.Req_Auth(unicast)
8.Resp_Auth(unicast,auth_info)
9.Resp_Success(nodie_id,Sign)
10.Session Key Exchange
4. Session Key Exchange
2005/7/15 22
Trust Model
Supplicant → WMN Group Key: Session key exchange first Confirm key: Authentication
WMN → Supplicant WMN’s Public Key Signature
2005/7/15 23
Choose Authentication Agent Two factors
Hop count Node loading
1. Choose the node has smallest hop count value.2. If there are two nodes has equal hop count value.
1. Compare their node loading value.2. Select the smaller one.
2005/7/15 24
Session Key Exchange
Session key exchange first. Session key should be modified
periodically. Default Key: groupK
2005/7/15 25
Send Key_Update to Authentication
Agent
Receive Key_Update &
Generate a new key
Finish
Supplicant Authentication Agent
Send new key encrypted by old key to Supplicant
Receive new key
Send Key_Updated
encrypted by new key
Receive Key_Updated
Is decrypted right?
Send Key_Update_ok
to Supplicant
yes
Is receive Key_Update_o
k?
yes
Restore old key
no
2005/7/15 26
Self-Configuration (1/2)
Self-Healing Determine the authentication agent
fail. Start Self-Organization process.
a
d
h i j
e f
b c a
d
h i j
e f
b ca
d
h i j
e f
b c a
d
h i j
e f
c
(a) (b) (c) (d)
2005/7/15 27
Self-configuration (2/2)
Self-reconfiguration
a
e
i j k
f g
b c
m n o
l
h
d
p
a
e
i j k
f g
b c
n o
l
h
d
p
a
e
i j k
f g
b c
n o
l
h
d
p
a
e
i j k
f g
b c
m n o
l
h
d
p
(a) (b) (c) (d)
2005/7/15 28
Outline
Introduction Background Design a Secure WMN Security Analysis Conclusion
2005/7/15 29
Security Issue
Message encryption: data & control
Locality security Trust model Session key exchange first Period session key exchange
2005/7/15 30
Attacks Defense
Man-in-middle (MIM) Forge AP Session Hijack Route Swindle Denial of Service (DoS)
2005/7/15 31
MIM & Forge AP
Man-in-Middle (MIM) Use session key create secure
channel. Period session key exchange.
Forge AP Period session key exchange.
2005/7/15 32
Session Hijack
Session key exchange first.Supplicant Authenticator Attacker
1.Authentication
2.Association
3.EAP req
4.EAP res
5.Req_auth(auth_info)
6.Resp_auth
7.Resp_success
8.Disassociation
9.Transmission
2005/7/15 33
Route Swindle
Use signature prove node’s legality.
a
c
b
f
e
d
h
g
a
c
b
f
e
d
h
g
(a) (b)
2005/7/15 34
Denial of Service
Attack: Limited CPU and memory. Continually send streams of
association and disassociation packets. Solutions:
There are not any solution to solve this problem.
Self-healing procedure
2005/7/15 35
WMN Security Comparisons
2005/7/15 36
Conclusion
Tree based secure architecture was proposed.
Define WMN’s basic functions of WMN.
Analysis WMN’s security problems. Compare with other security issue.
2005/7/15 37
Future Work
Consider more available attacks. Mobile mesh network. Other application:
Sensor network Ad hoc network
2005/7/15 38
The End, Thank You