secure multi-hop infrastructure access presented by reza curtmola (joint work with b. awerbuch, d....
TRANSCRIPT
Secure Multi-Hop Infrastructure Access
presented by Reza Curtmola(joint work with B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens)
600.647 – Advanced Topics in Wireless Networks
Wireless Infrastructure Access
• Few pure wireless peer to peer apps yet(primarily emergency deployments)
• Un-tethered infrastructure access has been the wireless killer app (countless variations)– Voice communication– Internet access– Local area network access– Data gathering sensor networks– Peripherals (headphones, mice, keyboards)
Single-Hop vs. Multi-Hop• Advantages
– Well established– Lower Complexity
• Issues– Limited coverage
• Range• Quality (gaps)
• Advantages– Increased Coverage– Enhanced performance– Reduced Deployment
Cost– Overall Flexibility
• Challenges– Routing protocol– Mobility– Scalability
Infrastructure Access Security
• Single-Hop– Many years to develop current state of the art
• 1997 – WEP• 2003 – WPA• 2004 – 802.11i / WPA2
– Still outstanding issues? (see NDSS 2004 paper)
• Multi-Hop– Introduces a set of additional security concerns– Existing work focuses only on the security of
the ad hoc scenario
Network Model
Gateway
Authorized Node
Adversary
Revoked Node
Protocol Design Goals• Security comparable to single-hop state of
the art protocols• Additional protection against multi-hop
routing attacks– Black Hole– Flood Rushing– Wormhole
• Efficient protocol operation– Symmetric cryptography– Scalable user management
Adversarial Model• Access Point
– is trusted– able to establish trust relationships with
authorized nodes
• Authenticated nodes are trusted to perform the protocol correctly
• Adversaries are unauthenticated nodes– Perform arbitrary attacks
(e.g. drop, inject or modify packets)– May collude to perform stronger attacks
(e.g. tunnel packets)
Our Solution
• Take an existing solution: Pulse protocol[Infocom ‘04, Milcom ‘04, WONS ‘05]– Multi-hop routing protocol– Optimized for many-to-one communication
pattern– High Scalability
• Mobility• Number of nodes• Number of flows
• Build security mechanisms into it
Pulse Protocol Example
Pro-active Spanning Tree
Node Wishes to Communicate
Sends Packet to Gateway
Cryptographic Protection
• Participating nodes share a network wide symmetric key NSK– Used to secure the routing service– Established and maintained using a broadcast
encryption scheme (BES)
• Source and destination use per flow unicast key (UK) to protect data payload
routingheaders
data payloadseq
numberHMACNSK
ENSK EUK
Secure Reliability Metric
• Secure ACKs are required for each data packet traversing a link
• Protocol gathers history of ACK failures
• Link weights inversely proportional to reliability
• Strategy is similar to ODSBR [WiSe ’02]
Network Model
Gateway
Authorized Node
Adversary
Revoked Node
Adversarial Avoidance Example
Gateway
112
2
1
1
222
2
3
2
3
33
2
Adversarial Avoidance Example
Gateway
112
2
1
1
222
2
3
2
3
33
2
Adversarial Avoidance Example
Gateway
112
2
1
1
222
2
3
2
3
33
21
Adversarial Avoidance Example
Gateway
112
2
1
1
222
2
3
2
3
33
21
Adversarial Avoidance Example
Gateway
112
2
1
1
222
2
3
2
33
21.1
3
Adversarial Avoidance Example
Gateway
112
2
1
1
222
2
3
2
3
33
21.1 1
Wormhole Avoidance Example
Gateway
112
2
1
1
222
2
3
2
33
2
3
Wormhole Avoidance Example
Gateway
112
2
1
1
222
2
3
2
21
2
3
1
Wormhole Avoidance Example
Gateway
112
2
1
1
222
2
3
2
21
2
3
1.1 …
Wormhole Avoidance Example
Gateway
112
2
1
1
222
2
3
2
21
2
3
3.1
Wormhole Avoidance Example
Gateway
112
2
1
1
222
2
3
2
33
2
3
3.1
Attack mitigation
• Injecting, modifying packets – use of NSK
• Replay attack – use of nonces
• Flood rushing – protocol relies on the metric, and not on timing information
• Black hole – unreliable links are avoided using metric
• Wormhole – creation is not prevented, but it is avoided using metric
Key Management• Assumption: each node has a unique
pre-established shared key PSK with the gateway
• Goal: to efficiently manage the Network Shared Key (NSK)– Selected and maintained by the gateway– Add/revoke users– Periodically refreshed
Manually entered as in WEP or WPA / WPA2 personal mode
Automatically generated by interaction with an authentication server as in 802.1x / EAP
or
Broadcast Encryption Scheme
• Center broadcasts a message
• Only a subset of privileged (non-revoked) users can decrypt it
• Our requirements:– Allows unbounded number of broadcasts– Any subset of users can be defined as
privileged– A coalition of all revoked users cannot decrypt
the broadcast
Subset Cover Framework• CS or SD [Crypto ’01], LSD [Crypto ’02]• The set of privileged users is represented as the
union of s subsets of users• A long-term key is associated with each subset• A user knows a long-term key only if he belongs
to the corresponding subset• Center encrypts message s times under all the
keys associated with subsets in the union• LSD Properties
– Each node stores O(log3/2(n)) keys– O(r) message size– O(log(n)) computation at each node
Node Management
• Node addition– Using PSK, a node obtains from the gateway
the current NSK and the set of secrets for the BES
• Node revocation / NSK refresh– Gateway generates a new NSK– Gateway broadcasts encrypted NSK such that
only non-revoked nodes are able to decrypt it– Scalability advantage over Group Key
management in 802.11i which is O(n)
1
3
6
Complete Subtree
1
32
7654
15141312111098
• Broadcast: EK2(KEK), EK7(KEK), EK12(KEK), EKEK(NSK’)
U1 U2 U3 U4 U5 U6 U7 U8
12
2
7
Conclusion
• Protocol provides multi-hop infrastructure access
• Efficient, lightweight security– Entirely based on symmetric cryptography– Prevents a wide variety of attacks– Leverages infrastructure for trust establishment
Real World Implementation• Completed Features
– Linux Kernel Module with 2.4 and 2.6 compatibility• Operates at layer 2• Distributed virtual switch architecture provides seamless bridging
– Pulse Protocol• Shortcuts and gratuitous reply• Instantaneous loop freedom• Fast parent switching (with loop freedom)• Medium Time Metric route selection metric (WONS 2004)
– 50 Nodes deployed across JHU Campus• Tested with Internet Access, Ad hoc Access Points, Voice over IP• Mobility tested at automobile speeds
• In Progress– Security – (NDSS Workshop 2005)
• Flood Rushing, Wormholes, Black holes, any NON-Byzantine attack• In kernel crypto implementation
– Leader Election Algorithm• Fault tolerance, switches pulse source to most accessed destination• Handle merge and partition
– Efficient Tree Flooding• Similar to expanding ring search but with no duplicates