Authentication and handoff protocols for wireless mesh networks By Naif Alamri nalamri@uccs.edu

Outline Background WMN architecture WMN components Threats against Wireless Networks Current solutions Related work Future work 5/1/2015

Background Mesh topology IEEE 802.11s (2003 – 2011) Multi-hop and multi-radio connections Features: self-organization, self-configuration, self-healing Advantages: cost effective, scalable, fault tolerant, increased range Applications: - Last mile broadband access from homes - Backbone for enterprise networks - Extended the range of other networks such as WiMAX - On the fly command centers for emergency response teams, military, etc. 5/1/2015

WMN Architectures Three WMN architectures: Infrastructure WMN Dedicated mesh routers connected via mesh links Connect to the Internet using gateways Integrate with wired and wireless networks (bridging or gateway) Client WMN No dedicated mesh routers Clients perform routing, configuration, and maintenance Hybrid WMN Combines features of infrastructure and client WMNs Client WMN  High throughput, multiple paths Infrastructure WMN  Integration with other radio technologies, reduce power consumption. 5/1/2015

WMN Architectures Infrastructure WMN Hybrid WMN 5/1/2015

WMN Components Mesh router: Dedicated mesh routers connected via mesh links Connect to the Internet using gateways Integrate with wired and wireless networks (bridging or gateway) Can improve the capacity of the network by using multi-channel single-radio (MCSR) or multi-channel multi-radio (MCMR) Mesh client: Highly mobile, power constrained Mostly single radio. Mesh gateway: Connect to the Internet Interoperability between WMNs and other wired and wireless networks 5/1/2015

Wi-fi protected access (WPA) Part of IEEE 802.11i Superseded WEP WPA: TKIP + RC4 or AES Shared Temporal Key (TK) = 128 bit Initialization Vector (IV) = 48 bit Per Packet Key (PPK) generated using TK Message Integrity Code (MIC) = 64 bit Integrity Check Value (ICV) = 32 bit to detect errors in data and MIC WPA2: AES + Counter-mode Cipher Block Chaining Message Authentication Code (CBC-MAC) Protocol aka (CCMP) 5/1/2015

802.11i Introduced in 2004 Enhanced security at MAC layer Also known as Robust Network Security (RNS) Advantages: data protection, mutual authentication, key management Confidentiality using AES + CCMP 5/1/2015

802.1x Port-based access control Three elements: Supplicant, Authenticator, Authentication Server Port types: Controlled, Uncontrolled 5/1/2015

Extensible Authentication protocol (EAP) Transport protocol used by 802.1X Flexible framework Different authentication methods: passwords, certificates, Kerberos, smart cards EAP-LEAP: Lightweight EAP by Cisco Mutual authentication, dynamic session keys User credentials (user name and password) used by RADIUS Weaknesses: username sent in cleartext, challenge is encrypted using DES 5/1/2015

EAP authentication methods EAP-PEAP: Protected EAP, developed by Cisco, Microsoft, and RSA Secure link between client and AS using TLS-tunnel or MS-CHAPv2 Requires PKI certificates on server side EAP-TLS: Secure link between client and AS Mutual authentication using X.509 certificates in both sides Requires a PKI Defined in RFC 2716 5/1/2015

EAP authentication methods EAP-TTLS: Developed by Funk Software and Meetinghouse Mutual authentication using X.509 certificates only on server side Once TLS tunnel is established, the client can be securely authenticated using a username/password combination, MS-CHAPv2, etc. No PKI, only server must provide a certificate for authentication EAP-MD5: Client and AS share a password AS sends challenge to client, client create hash code using MD5 and password No mutual authentication, no key generation Subject to some attacks such as brute force 5/1/2015

Security in WMN No fast handoff, No secure routing!! Relies on 802.11i for authentication, key management, data confidentiality and integrity Extends Robust Security Network Association (RSNA) with Mesh Security Association (MSA) Two key holders: Mesh Authenticator (MA), Mesh Key Distributor (MKD) 802.11s provides secure association between MA and MKD Key hierarchy: Secure link for initial authentication Key generation and distribution 5/1/2015

WMN key hierarchy Phase 1: Secure links Supplicant and MKD establish key hierarchy Mutually generate PMK-MKD using Pre-Shared Key (PSK) or Master Session Key (MSK) Mutually generate PMK-MA; deliver to MA using MSA Phase 2: Key generation and distribution Pairwise Transient Key (PTK) derived using PMK-MA Group Transient Key (GTK) derived using PMK-MA 5/1/2015

WMN Authentication and key generation 5/1/2015

Related Work "PAPAR: Pairing Based Authentication Protocol with Anonymous Roaming for Wireless Mesh Networks“ by Sultan et al. AS generates a roaming key for each Mesh Access Point Roaming clients can be authenticated using the roaming key of the old MAP AS generates a secondary key and pseudo ID for each mesh client Provides anonymity and unlinkability "An efficient authenticated key establishment scheme for wireless mesh networks“ by He et al. A distributed authentication key establishment scheme (AKES) for federated WMNs AS distributes some information to MAPs and clients Information + IDs are used to establish secure connections 5/1/2015

Related Work “Ticket-based handoff authentication for wireless mesh networks” by Xu et al. For handoff only, Not initial authentication AS generates tickets using a master key shared with MAPs Ticket used to generate session key No privacy, No unlinkability "Efficient authentication for fast handover in wireless mesh networks“ by Li et al. AS generates multiple tickets for each client One-hop mutual authentication between MAP and client MAP broadcast tickets to neighbors  minimize delay and traffic overhead AS doesn’t participate in handoff Privacy  pseudo IDs 5/1/2015

Future Work Design principles for new authentication protocol: Two-factor authentication Flexibility Mutual authentication Seamless roaming Anonymity Unlinkability Traffic management Resilience against attacks Power efficiency 5/1/2015

Questions & Feedback 5/1/2015