Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ch 6. Security in WMNs Myungchul Kim

Similar presentations


Presentation on theme: "Ch 6. Security in WMNs Myungchul Kim"— Presentation transcript:

1 Ch 6. Security in WMNs Myungchul Kim mckim@icu.ac.kr

2 –Generic security servies Security technology overview

3 –IEEE 802.11i (Wi-Fi Protected Access: WPA, WPA2) A shared key or AAA server AAA server –Extensible authentication protocol (EAP) –EAP: EAPOL between MS and AP and RADIUS between AP and AAA server –Master session key (MSK) Security technology overview

4 –IEEE 802.11i (Wi-Fi Protected Access: WPA, WPA2) Security technology overview

5 –IPsec and virtual private networks –Transport layer security protocol (TLS) –Secure socket layer (SSL) –S/MIME or PGP Security technology overview

6 –Mesh node (MN), user node (UN), mesh user node (MUN) –Ad hoc mesh networks: managed or open networks Mesh usage scenarios

7 –Factors distringuishing the usage scenarios Mesh usage scenarios

8 Single administrative domain –Keep the outsiders out –Shared key or node certificate Network infrastructure extension –The mesh network is used by end users to access the infrastructure network –Security of infrasturcture network access by end users and security within the mesh extension itself Mesh federation –The MNs forming a mesh netowrk belong to different adminstrative domains (operators) Community mesh –Not knowing or even trusting each other Mesh usage scenarios

9 –Ad hoc networks vs WMNs Security challenges –Multihop wireless communications –Nodes are not physically protected –Use of wireless links –Dynamic: topology and membership –The same security solution may not work for both mesh routers and mesh clients Overview of potential attacks to WMNs –External attacks vs internal attacks –Passive and active attacks –Protocol layers Mesh security issues

10 –Attack types for MANET Impersonation Sinkhole attack –Behaving “logical” next hop for forwarding packets and droping them Wormhole attack –Use a malicious paths through legitimate means Selfish and greedy behavior attack –Increase own share of the common transmission resource Sybil attack –A malicious node pretends the identity of several nodes –Geographic routing protocols? Sleep deprivation –Request services from a certain node over and over again DoS and flooding Mesh security issues

11 Authentication –Hard in WMN because of the open nature of wireless comm. –Approaches PSK authentication Certificate authentication –How to enable the authentication across different domains? Authentication to roaming UNs? Authentication of MNs ? –Examples Wireless Dual Authentication Protocol (WDAP) Secure Unicast Messaging Protocol (SUMP) Mesh security issues

12 Secure MAC layer –IEEE 802.11: nodes that are heavily loaded tend to capture the channel by continually transmitting data thereby causing lightly loaded neighbors to back off again and again. -> unfairness –Attacks Flooding attack Jamming attack by jamming the RTS signal Sleep deprivation attack Packet dropping attack –Countermeasures to selfish mishbehavior Catch: makes the cooperative neighbors of a selfish node to disconnect it from the rest of the network. Mesh security issues

13 –Countermeasures to greedy mishbehavior The receiver can detect any misbehavior of the sender and penalize it by increasing the back-off value. DOMINO –Countermeasures to MAC-layer DoS attacks Single adversary attack and two colluding adversaries Ways –Fair MAC protocol –Protecting traffic flow –Distance adjustment Mesh security issues

14 Secure routing –Threats for ad hoc mesh routing functionality Eavesdropping Sinkhole, wormhole Routing table overflow: attempts to create routes to nonexistent nodes Rushing attack: An attacker forwards RREQs more quickly than legitinate nodes can do so. Thus, … Sleep deprivation Location disclosure Mesh security issues

15 Secure routing –A secure ad hoc mesh routing protocol should fulfill: Certain discovery Isolation: immune to malicious nodes Lighweight computation Location privacy Self-stabilization Byzantine robustness: a stricter version of the self- stabilization property Mesh security issues

16 –Cryptography-based solutions Authenticated ruting for ad hoc networks (ARAN) utilizes cryptographic certificates to achieve authentication and nonrepudiation Secure routing protocol (SRP): a shared key Secure efficient ad hoc distance vector (SEAD): DSDV, hash chains to authenticate hop counts and sequence numbers Secure ad hoc on-demand distance vector routing (SAODV): AODV, digital signatures and hash chains Mesh security issues

17 –Reputation-based solutions The pathrater assesses the results of the watchdog and selects the most reliable path for packet delivery. –Add-ons to existing protocols Security-aware ad hoc routing utilizes a security metric for the route discovery and maintenance functions. –Countermeasures to specific attacks In best-effort fault tolerant routing, path redundany is used to tolerate misbehavior by using disjoint routes. Mesh security issues

18 Key management and communications security –Key management: supports the establishment and maintenance of keying relationships between authorized parties. –How to distribute initial keys? –A suitable infrastructure can be used A single stakeholder A public-key infra Security master Mesh security issues

19 Key management and communications security –For routing traffic, options are No security at all Protect integrity of routing messages through a MAC Protect integrity of routing messages through a digital signature in a hop-by-hop mode Protect integrity of routing messages through a digital signature in an end-to-end mode Condifentializty of routing messages –For the protection of user data, options are No security at all Secure comm within a group that shares a secret group key Secure end-to-end communication using public-key crptography Mesh security issues

20 Intrusion detection –Use “training” data to determine characteristics of normal routing table updates and normal MAC layer. Mesh security issues

21 System proposals –Tropos 802.1x/EAP-based authentication against a AAA-server (RADIUS) A secure IPsec-based VPN Concrete proposals

22 Authentication protocols –WDAP for IEEE 802.11 WMNs –SUMP for sensor networks –The overhead at the server side –Wireless dual authentication protocol (WDAP) Mitigation of the overhead of 802.11i –The authentication is already completed when the UN arrives within the range of the next AP –A key caching options to allow the UN and the AP to remember the last used PMK –Since both WS and AP are assumed not to trust each other until the AS authenticates both of them. Concrete proposals

23 Authentication protocols –Wireless dual authentication protocol (WDAP) Concrete proposals

24 Authentication protocols –Wireless dual authentication protocol (WDAP) Concrete proposals

25 Authentication protocols –Wireless dual authentication protocol (WDAP) Concrete proposals


Download ppt "Ch 6. Security in WMNs Myungchul Kim"

Similar presentations


Ads by Google