secure multi-hop infrastructure access presented by reza curtmola (joint work with b. awerbuch, d....

Secure Multi-Hop Infrastructure Access

presented by Reza Curtmola(joint work with B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens)

600.647 – Advanced Topics in Wireless Networks

Wireless Infrastructure Access

• Few pure wireless peer to peer apps yet(primarily emergency deployments)

• Un-tethered infrastructure access has been the wireless killer app (countless variations)– Voice communication– Internet access– Local area network access– Data gathering sensor networks– Peripherals (headphones, mice, keyboards)

Single-Hop vs. Multi-Hop• Advantages

– Well established– Lower Complexity

• Issues– Limited coverage

• Range• Quality (gaps)

• Advantages– Increased Coverage– Enhanced performance– Reduced Deployment

Cost– Overall Flexibility

• Challenges– Routing protocol– Mobility– Scalability

Infrastructure Access Security

• Single-Hop– Many years to develop current state of the art

• 1997 – WEP• 2003 – WPA• 2004 – 802.11i / WPA2

– Still outstanding issues? (see NDSS 2004 paper)

• Multi-Hop– Introduces a set of additional security concerns– Existing work focuses only on the security of

the ad hoc scenario

Network Model

Gateway

Authorized Node

Adversary

Revoked Node

Protocol Design Goals• Security comparable to single-hop state of

the art protocols• Additional protection against multi-hop

routing attacks– Black Hole– Flood Rushing– Wormhole

• Efficient protocol operation– Symmetric cryptography– Scalable user management

Adversarial Model• Access Point

– is trusted– able to establish trust relationships with

authorized nodes

• Authenticated nodes are trusted to perform the protocol correctly

• Adversaries are unauthenticated nodes– Perform arbitrary attacks

(e.g. drop, inject or modify packets)– May collude to perform stronger attacks

(e.g. tunnel packets)

Our Solution

• Take an existing solution: Pulse protocol[Infocom ‘04, Milcom ‘04, WONS ‘05]– Multi-hop routing protocol– Optimized for many-to-one communication

pattern– High Scalability

• Mobility• Number of nodes• Number of flows

• Build security mechanisms into it

Pulse Protocol Example

Pro-active Spanning Tree

Node Wishes to Communicate

Sends Packet to Gateway

Cryptographic Protection

• Participating nodes share a network wide symmetric key NSK– Used to secure the routing service– Established and maintained using a broadcast

encryption scheme (BES)

• Source and destination use per flow unicast key (UK) to protect data payload

routingheaders

data payloadseq

numberHMACNSK

ENSK EUK

Secure Reliability Metric

• Secure ACKs are required for each data packet traversing a link

• Protocol gathers history of ACK failures

• Link weights inversely proportional to reliability

• Strategy is similar to ODSBR [WiSe ’02]

Network Model

Gateway

Authorized Node

Adversary

Revoked Node

Adversarial Avoidance Example

Gateway

112

2

1

1

222

2

3

2

3

33

2

Adversarial Avoidance Example

Gateway

112

2

1

1

222

2

3

2

3

33

2

Adversarial Avoidance Example

Gateway

112

2

1

1

222

2

3

2

3

33

21

Adversarial Avoidance Example

Gateway

112

2

1

1

222

2

3

2

3

33

21

Adversarial Avoidance Example

Gateway

112

2

1

1

222

2

3

2

33

21.1

3

Adversarial Avoidance Example

Gateway

112

2

1

1

222

2

3

2

3

33

21.1 1

Wormhole Avoidance Example

Gateway

112

2

1

1

222

2

3

2

33

2

3

Wormhole Avoidance Example

Gateway

112

2

1

1

222

2

3

2

21

2

3

1

Wormhole Avoidance Example

Gateway

112

2

1

1

222

2

3

2

21

2

3

1.1 …

Wormhole Avoidance Example

Gateway

112

2

1

1

222

2

3

2

21

2

3

3.1

Wormhole Avoidance Example

Gateway

112

2

1

1

222

2

3

2

33

2

3

3.1

Attack mitigation

• Injecting, modifying packets – use of NSK

• Replay attack – use of nonces

• Flood rushing – protocol relies on the metric, and not on timing information

• Black hole – unreliable links are avoided using metric

• Wormhole – creation is not prevented, but it is avoided using metric

Key Management• Assumption: each node has a unique

pre-established shared key PSK with the gateway

• Goal: to efficiently manage the Network Shared Key (NSK)– Selected and maintained by the gateway– Add/revoke users– Periodically refreshed

Manually entered as in WEP or WPA / WPA2 personal mode

Automatically generated by interaction with an authentication server as in 802.1x / EAP

or

Broadcast Encryption Scheme

• Center broadcasts a message

• Only a subset of privileged (non-revoked) users can decrypt it

• Our requirements:– Allows unbounded number of broadcasts– Any subset of users can be defined as

privileged– A coalition of all revoked users cannot decrypt

the broadcast

Subset Cover Framework• CS or SD [Crypto ’01], LSD [Crypto ’02]• The set of privileged users is represented as the

union of s subsets of users• A long-term key is associated with each subset• A user knows a long-term key only if he belongs

to the corresponding subset• Center encrypts message s times under all the

keys associated with subsets in the union• LSD Properties

– Each node stores O(log3/2(n)) keys– O(r) message size– O(log(n)) computation at each node

Node Management

• Node addition– Using PSK, a node obtains from the gateway

the current NSK and the set of secrets for the BES

• Node revocation / NSK refresh– Gateway generates a new NSK– Gateway broadcasts encrypted NSK such that

only non-revoked nodes are able to decrypt it– Scalability advantage over Group Key

management in 802.11i which is O(n)

1

3

6

Complete Subtree

1

32

7654

15141312111098

• Broadcast: EK2(KEK), EK7(KEK), EK12(KEK), EKEK(NSK’)

U1 U2 U3 U4 U5 U6 U7 U8

12

2

7

Conclusion

• Protocol provides multi-hop infrastructure access

• Efficient, lightweight security– Entirely based on symmetric cryptography– Prevents a wide variety of attacks– Leverages infrastructure for trust establishment

Real World Implementation• Completed Features

– Linux Kernel Module with 2.4 and 2.6 compatibility• Operates at layer 2• Distributed virtual switch architecture provides seamless bridging

– Pulse Protocol• Shortcuts and gratuitous reply• Instantaneous loop freedom• Fast parent switching (with loop freedom)• Medium Time Metric route selection metric (WONS 2004)

– 50 Nodes deployed across JHU Campus• Tested with Internet Access, Ad hoc Access Points, Voice over IP• Mobility tested at automobile speeds

• In Progress– Security – (NDSS Workshop 2005)

• Flood Rushing, Wormholes, Black holes, any NON-Byzantine attack• In kernel crypto implementation

– Leader Election Algorithm• Fault tolerance, switches pulse source to most accessed destination• Handle merge and partition

– Efficient Tree Flooding• Similar to expanding ring search but with no duplicates