Secured network formation for self-organized personal area network

Transcription

1 Secured network formation for self-organized personal area network Leping Huang, 2, Kaoru Sezaki, Hongyuan Chen 2, T.V.L.N Sivakumar 2, Yoshikatsu Nakagawa 2 Institute of Industrial Science, University of Tokyo, 4-6- Komaba, Meguro-ku, Tokyo, Japan 2 Nokia Research Center Tokyo, Nagata-cho, Chiyoda-ku, Tokyo, , Japan {Leping.Huang, HongYuan.Chen, T.Sivakumar, Yoshikatsu.Nakagawa}@nokia.com sezaki@iis.u-tokyo.ac.jp Abstract Network formation is one of the indispensable steps for personal area networks (PAN) that use radio technologies such as Bluetooth, ZigBee and WiMedia. Existing network formation algorithm assumes that nodes trust and cooperate with each other in exchanging neighbor information and establishing physical link. This assumption may no be true when there is some malicious node in the radio coverage of the network. It is easy for a malicious node to block or disturb the network formation process by either passively dropping information request from other nodes or actively providing incorrect neighbor information. To protect the system from such attack, we propose a solution that includes a secured network formation algorithm, and a decentralized authentication service. The authentication service is based on the webof-trust concept, where link can be established only when two nodes find a path between each other on the web of trust. Secured network formation algorithm is proposed to prevent the attack from compromised inner node. One enhancement to the authentication service to guarantee the connectivity of formed network is also discussed. By using such service, our network formation proposal restricts the formation process within nodes that can be mutually authenticated. This prevents the attack from malicious nodes and guarantees the success ratio of forming a fully connected network. I. INTRODUCTION The recent history of the Internet and of cellular networks has shown that if security of a given network architecture is not properly designed from the very beginning, then the security breaches will be exploited by malicious user. Moreover, introducing or reinforcing security mechanism later can be a painful and expensive process. Security in mobile ad hoc network is particularly difficult to achieveâ notably because of its vulnerability of channels, vulnerability of nodes, absence of infrastructure, dynamic changing topology. The threat to the ad hoc network can be mainly classified into two categories. The first one is the attack on the basic mechanisms of the ad hoc network, such as routing. Prevention of these attacks requires security mechanisms that are often based on cryptographic algorithm. The second one is the attack on the security mechanisms and notably on the key management mechanisms. The research on basic mechanisms focuses on routing protocol because most of current research [][] on ad hoc security assumes a connection-less broadcast-based MAC layer like However, network formation, one critical function for connection-oriented network, is ignored by most of the researchers. In connection-oriented network such as Bluetooth, network formation is one of the indispensable steps before multiple-hop communication. Network formation process coordinates spontaneous nodes to form point-topoint physical links cooperatively. Existing network formation algorithm assumes that nodes trust and cooperate with each other in exchanging neighbor information and establishing physical link. This assumption may no be true when there is some malicious node in the radio coverage of the network. It is easy for a malicious node to block or disturb the network formation process by either passively dropping information request from other nodes or actively providing incorrect neighbor information. This may result in the failure of forming a fully connected network, or a formed network whose network topology is easy to be attacked by malicious user. According to our knowledge, it is the first paper to discuss the security problem in network formation. The rest of the paper is organized as follows. In section 2, we discuss the background information about Bluetooth, its security mechanism, and the state of art of distributed authentication service. Section 3 assesses the Bluetooth network formation process in the respect of network security. Based on the assessment, we propose a solution in section 4, which contains a distributed authentication service based on the concept of web-oftrust and a securely network formation protocol, which forms security-robust network protocol in the absence of authentication service. The connectivity problem when using authentication service is discussed and a simple solution is also presented in section 4. Finally, we conclude this paper in section 5. II. BACKGROUND A. Bluetooth Bluetooth is a promising wireless technology that enables portable devices to form short-range wireless ad hoc network. The basic unit of Bluetooth is piconet, which follows a master-slave TDD architecture between nodes, and can only connect nodes up to 8. So it is a natural requirement to develop technology that can connect multiple piconets to form a large-scale network called scatternet. Scatternet is defined as a group of piconets in which connections exist between different piconets. The node that connects multiple piconets is called PMP (Participant in multiple piconets) in Bluetooth specification. Issues such as how to form a multi-hop

2 network (which is called Network Formation), and how to route packet within scatternet (which is called PAN routing) is still under discussion at Bluetooth SIG. Network formation is not a simple issue, notably because of the connectivity constraint in master and PMP node, network performance, difficulty in collecting neighboring information etc. One major difference between Bluetooth and 802. family radios is that Bluetooth network is connection-oriented, which means any two nodes can not communicate or overhear with each other before establishing a physical link. The Bluetooth specification includes security features at both link level and application level. It supports authentication (unidirectional or mutual) and encryption. These features are based on a secret link key that is shared by a pair of devices. To generate this key a pairing procedure is used when the two devices communicate for the first time. Three security modules are specified in [4]. First, security mode (non-secure): A device will not initiate any security procedure. Second, security mode 2 (service-level enforced security): A device does not initiate security procedures before channel establishment at L2CAP level. This mode allows different and flexible access policies for applications, especially running applications with different security requirements in parallel. Third, security modes 3 (link level enforced security): A device initiates security procedures before the link set-up at the LMP level is completed. Generally, security module 3 is more robust than other two modules. B. Distributed authentication service Authentication service plays a central role in the network security. Asymmetric key cryptography and public key infrastructure (PKI) is widely accepted as the standard authentication service in the Internet. However, it is infeasible to apply the PKI into ad hoc network directly, because the distributed and self-organized characteristics of ad hoc network. In security terms, the self-organized ad hoc network means that there is no centralized trusted third party, no central server, no secret sharing dealer etc. Generally, there are essentially two families of approaches for eliminating a centralized certification authority in a mobile ad hoc network. The first family is to emulate a conventional certification authority by distributing it on several nodes. For example, Zhou [] proposes a distributed authentication service based on the concept of (n, t+) secrete sharing, which allows n parties to share the ability to perform a cryptographic operation (e.g. creating a digital signature) so that t+ parties can perform this operation jointly where it is infeasible for at most t parties to do so, even by collusion. In their proposal, the functionality of trusted third party is distributed to several nodes within the network. It results a trustworthy aggregation by composing otherwise untrustworthy individual entities. The aggregation remains available and correct if some of its entities fail or become compromised. The second family is a totally distributed solution, where nodes authenticate each other by setting up an appropriate context. Most of those proposals are originated from the pretty good privacy (PGP) [3] and the web of trust concept. Web of trust is defined as the trust established based on the chain of certificate certificated by user based on their personal acquaintances. In PGP, each certificate contains several signatures from different users. The trust level of each certificate is calculated from the trust level of nodes that signed this certificate. This, as a result, becomes the trust level to the node that issued this certificate. In [2], the authors extend the PGP by changing the centralized key storage strategy to local certificate repository maintained by each user. When two users want to verify the public keys of each other, they merge their local certificate repositories and try to find appropriate certificate chains within the merged repository that make the verification possible. An example of the web-of-trust concept is given at Figure. U Figure : merging sub-graphs. When user u want to verify the public key of user v, u and v merge their local certificate repositories and v tries to find a certificate chain to u in the merged repositories. III. SECURITY ASSESSMENT OF CURRENT NETWORK FORMATION PROTOCOLS A. Analysis of network formation algorithm Network formation is a cooperative process, which requires the cooperation between all nodes that want to join the network. The process is not trivial, notably because of nodes connectivity constraint, asymmetric role of each node in the scatternet, and device discovery issue. We use Figure 2 to explain those constraints in detail. First, the connectivity constraint: each piconet can only serve nodes up to eight. Many simulation results [9] indicates that it is very inefficient for PMP node to access piconets above 2 simultaneously. So most of the formation algorithm restricts the number of piconet PMP can serve to two. Second, nodes assigned with different role have different forwarding capacity. Master controls the forwarding speed of links between its slaves and itself. The behavior of PMP node influences the throughput of all paths, which pass through this PMP node. Finally, the frequency hopping mechanism used in Bluetooth, cause long delay to find unsynchronized node nearby. Based on the analysis of current network formation process, we think most of the proposals are composed of at most four phases. The explanation of each phase is given below. V

3 Phase : device discovery. One node can be discovered only when it is in inquiry scan status, and receive an inquiry request message, which is sent by another node in inquiry status. The inquiry response message sent by the inquired node discloses its identity information. The objective of most proposals in this phase is to discover all nodes within its radio coverage. Some proposals [5] use symmetric discovery in this phase, where all nodes switch their status between inquiry and inquiry scan independently to discover each other. Other proposals [8] use method called asymmetric discovery, where each node first decide its role (inquiry or inquiry scan) based on a statistical test, then the node in inquiry status is responsible to discover node in inquiry scan mode. Besides, one proposal [9] shortens the formation time by extending the current inquiry reply message with the identity information of nodes that discovered by it. Another proposal [9] propagates the neighboring information to all nodes in the network to share a common network topology between nodes. Phase.5: leader selection: In a distributed system like Bluetooth, each node has even role and partial knowledge about the network. However, nodes involved in Bluetooth network has asymmetric role. Master of the piconet controls the behavior of piconet and its slaves, so it has heavier roles than its slave. The behavior of bridge node between piconets influences the performance of those piconets, so have heavier role than master node. To establish asymmetric relationship between nodes by a distributed manner, some algorithms use leader selection algorithm to select coordinator of scatternet [8] or master of piconet [7]. Elected leader is responsible for establishing the whole scatternet or piconet. Phase 2: piconet formation: Some algorithms form isolated cluster (or piconets) before forming a fully connected network. Piconet formation methods can be classified as distributed and centralized methods. In centralized formation methods, the role of master is decided through leader-selection phase or by topology calculation done at coordinator. In some distributed methods, node switches between page and page-scan mode randomly to compete for the role of master. Other methods decide the role of all nodes by some statistical function, and then do not change their role. Phase 3: scatternet formation: fully connected network is formed in this phase. Some algorithms use distributed approach to form a scatternet, and others use a centralized leader (or super master) to decide on the scatternet topology. 3 M 3 S SP 3 S 3 M MP 2 S 2 S 32 S 3 Master Slave PMP S 2 S 22 Figure 2: Example of scatternet B. Security assessment of network formation algorithm We analyze each phase of network formation process in respect of security. Phase : Device discovery: The objective of device discovery is to find neighbors that is within its radio coverage, or in other words, to establish a visibility graph. If all nodes are within same radio coverage of each other (conference scenario), there is no obvious security problem for both symmetric and asymmetric discovery algorithms because the discovery process between a pair of normal nodes does not depend on the information provided by others. The only exception we found is the extension of inquiry process by attaching discovered nodes identity information in inquiry reply message as discussed in [6]. Nodes that receive this extended inquiry reply message identify the neighbor id listed in the message as its own neighbor. Although this method shortens the time of device discovery, it may be abused by malicious node. Malicious node can tamper the neighbor information it sent in inquiry reply message to disturb the calculation of optimal network topology. In some centralized algorithms like BTCP [7], some node (e.g. network coordinator) requires not only the information of neighbors but also information of nodes out of its radio coverage when calculating the whole network topology. In such algorithm, malicious node can add fake node ID or remove exiting node id from the information in the messages to the network coordinator. Removal of existing node ID results that node to be isolated from the scatternet. Adding of fake node disturbs and blocks the formation process. Phase.5 Leader selection: Leader selection is used in some distributed algorithm. Generally, the selected leader (e.g. scatternet coordinator, master) has more responsibilities than normal nodes. It is less secure when the malicious node takes the responsibility of leader in the network. Malicious user can attack the system by providing incorrect information about itself in voting. By changing the voting right (weight), malicious node can become the coordinator of scatternet [6]. By changing the weight in comparison, malicious node can become the master of one piconet [7]. When a malicious node becomes the coordinator of a scatternet, it can 2 S 23

4 change the topology of network as its wish, which may greatly decrease the robustness and trustworthiness of the network. Phase 2 Piconet formation: In centralized piconet formation, malicious node can influence the leader selection process to become a more important node in the network as discussed in previous clue. If malicious node becomes the master of a piconet, it can refuse its responsibility like connecting its slaves, or refuse the normal signaling to super-master which may disturb the network formation process. This problem will not happen in distributed piconet formation algorithm, because all nodes compete with each other to become the scatternet leader. If one node refuses to take the responsibility of network formation, others will form the network instead. It means autonomous piconet formation is more robust to such DoS(Denial of Service) attack. However, distributed algorithm also has its own drawback. In algorithm like Bluenet [5], all nodes refuse new connection request after it has been connected by a node as slave. In such algorithm, anonymous piconet formation is not robust in respect of security because malicious node can block nodes from joining the scatternet by establishing link between it. Such attack is called as useless connection attack in the paper. Phase 3 Scatternet formation: Similar to the piconet formation, centralized formation algorithm is easy to be disturbed by DoS attack, while distributed scatternet formation is easy to be disturbed by useless connection attack. C. Summary of security attack Denial of service attack: This type of attack includes any non-cooperative behavior in network formation process. It includes denial of forming piconet, denial of providing neighboring information etc. Besides, abusing of timeout and confirmation signal mechanism can also be classified into this category. Topology attack: The basic topology of Bluetooth is starshaped piconet. Some algorithms like bluetree [8] and Min-te [9] forms tree-based Bluetooth network, which is thought to be low efficiency protocol. Tree topology is also not robust from security and reliability point of view. The failure of root node will break the communication of the whole network. If root node is compromised by malicious node, the compromised root node can monitor/intercept all communication within the network. Other algorithms like bluenet [5], clustering [0] does not analyze about the characteristics of their topology clearly. From graph theory point of view, it is better to increase the connectivity of graph(minimum number of path between any two sub graph of network) between piconets, which can improve the network reliability and security. If one malicious node is identified, the communication can be switched to an alternative path easily. In this sense, bluering [6], which form a ring between nodes, are robust than distributed clustering. Malicious node can provide incorrect information to influence the formed topology. Useless connection: Because each Bluetooth node can connects to only one node when it is slave and at most seven nodes when it is master. The recommended upper limit for bridge node is two. Malicious user can attack the system by utilizing such connection degree constraint. For example, nodes in Bluenet switch between page and page scan periodically. When a node is connected with others as slave, it will refuse connection from others. A malicious user can block the communication of that node with others by connecting to it. Incorrect information attack malicious node can make such attack by providing incorrect information in leader selection, visibility graph/neighbor discovery, and piconet master selection etc. IV. PROPOSED SECURED NETWORK FORMATION PROTOCOL Based on the analysis above, we notice that the cooperative nature of network formation process results in serious security problem. We propose a new formation protocol to alleviate and alleviate such security problem. In our proposal, we assume that each node has a partial list of the trusted nodes in the network initially. When a node begins network formation process, it only cooperates with nodes, which are listed in its trust list. After two trusted nodes establish a physical link, they exchange and merge their trust list, which increases the number of trusted nodes in the list of both nodes. The link establishment between trusted node and merge of trust list between two end nodes of newly established link is executed recursively. Although initially each node only contains small amount of trusted nodes in the network, the list increase along with the new link establishment. As a result, we assume that our proposal will not decrease the network connectivity, but blocks the malicious nodes from joining network formation process. Our proposal consists of two components. The first component is a distributed authentication service, which is proposed to prevent the intruder from jointing network formation process. The second component is a network formation protocol optimized in respect to security, which avoids some critical security problem like topology, mutual voting we mentioned in previous section. The second component is proposed to alleviate the attack launched by compromised internal nodes. We discuss the protocol in detail below. A. Authentication service The authentication service is designed as an extension to Bluetooth security mode 2(service level security). Within network formation process, all nodes should be configured in security mode 2. We illustrate the link establishment process with extended service level security in Figure 3. The major difference between original procedures is marked with gray color. The security DB is configured with the trusted node list deduced from trust graph. The trust graph is exchanged and updated whenever a new link is established. The method to

5 establish the distributed trust is generally based on Hubuax s proposal [3]. Figure 3: illustration of extended channel establishment process, the function block filled with gray color is from our own modification. Original graph: Vol.3 Part C section 5.2 Figure 5.2 of Bluetooth.2 draft 4 B. Security-robust formation protocol Based on the security assessment analysis done in previous section, we select the components for each of the four phases separately, and then compose a new network formation protocol. The detailed algorithm is listed below. Phase : symmetric device discovery: symmetric device discovery dos not have any security problem. Phase.5: mutual voting is done between trusted nodes. To prevent the selected coordinator to make a fake topology, the network connectivity graph (visibility graph) is also propagated to all masters in addition to the selected coordinator. All of those nodes run the same algorithm to calculate the optimal topology. The optimal topology calculated by each master will be compared with peer masters and the coordinator. If any node detects the mismatch between two topologies, the network formation process should be terminated/reviewed at that time. The formula to calculate the network topology is based on BTCP. Phase 2: Piconet formation: same as BTCP Phase 3: Scatternet formation: same as BTCP C. Mismatch problem and its solution Although the proposed authentication service enhances the security level in network, it may increase the network formation time and causes connectivity problem when the node distributes very sparsely. We define the connectivity problem as the increase of disjoint subnet. This problem is caused by the mismatch between the trust graph (each line in the graph indicates the direct trust relationship between node pair) and visibility graph (each line in the graph indicates one node within the radio coverage of another node). Figure 4 illustrates an example of this problem. When node 2 detects that node 4 is within its radio coverage, it cannot connect to node 4 because node 4 is listed in its trust list. However, we find that node 2 and 4 share the common neighbor node 6 in trust graph. As a result, it is possible to establish a link between node 2 and node 4 securely in the absence of node 6. But this cannot be realized by current authentication solution. When the node 6 is not in the network at the time of network formation, the link 2-4 cannot be established (connectivity problem). When the node 6 is within the network, but within neither node 2 or 4 s radio coverage, link 2-4 can not be established until the trust relationship between node 2 and 4 is propagated to either node 2 or 4 after merge of trust graph. This increases the network formation time. We propose following extension to solve this problem. Extension to authentication service: Inquiry request message is extended with the broadcast of trust list. When a node receives an inquiry request, it compares its own trust list with received list. If two node lists has some common neighboring trust node, the inquiring node is identified as potential securely connectable node by inquired node. Inquired node will utilize this information to try link establishment between inquiring nodes Line of Visibility graph Line of trust graph Figure 4: illustration of mismatch problem between visibility graph and trust graph V. CONCLUSION AND FUTURE WORK In this paper, we assessed the network formation protocol in respect of security. New network formation protocol with authentication service is proposed based on the security assessment. The connectivity problem caused by the mismatch of trust graph and radio visibility graph is also discussed in this paper. In the future, we will further

6 our research on solving the problem of mismatch between trust graph and radio coverage graph. VI. REFERENCE [] L. Zhou and Z. J. Haas, "Securing ad hoc networks," IEEE Network, vol. 3, pp , 999. [2] Hubaux, J., L. Buttyan, et al. (200). The Quest for Security in Mobile Ad Hoc Networks. Mobile Ad Hoc Networks Proceeding of the ACM Symposium on Mobile Ad Hoc Networking and Computing (MobiHOC). [3] P. Zimmermann. The official PGP User s Guide, MIT Press, 995 [4] Bluetooth SIG: Bluetooth Specification.2 draft 4, 2003 [5] Wang, Zhifang, Thomas, R.J. and Haas, Z., Bluenet- a New Scatternet Formation Scheme, Proc. 35th Hawaii Intern. Conf. on System Sciences, pp , [6] T. Salonidis, P. Bhagwat, L. Tassiulas, and R. Lamaire. Distributed topology construction of Bluetooth personal area networks. In Proceedings of INFOCOM'200. [7] Ting-Yu Lin, Yu-Chee Tseng, Formation, Routing, and Maintenance Protocols for the BlueRing Scatternet of Bluetooths, 36th Annual Hawaii International Conference on System Sciences (HICSS'03) [8] Gergely V. Zruba, Stefano Basagni and Imrich Chlamtac: Bluetrees -- Scatternet Formation to Enable Bluetooth-Based Ad Hoc Networks, IEEE, 200, ISBN [9] G.V. Zaruba, S. Basagni, I. Chlamtac, Bluetrees - scatternet formation to enable Bluetooth-based ad hoc networks", IEEE International Conference on Communications (ICC) 200, pp [0] M. Sun, C.K. Chang and T.H. Lai, "A Self-Routing Topology for Bluetooth Scatternets," Proc. I-SPAN 2002, pp. 3-8, Manila, Philippines, May [] L. B. a. J. P. Hubaux, "Report on a Working Session on Security in Wireless Ad Hoc Networks," Mobile Computing and Communications Review, VII. APPENDIX Phase Name Explanation Security problem Device discovery Symmetric Nodes switch between inquiry/inquiry scan not found Asymmetric each node decide its role by running some statistical test not found Not defined device discovery phase is omitted because it is done along with scatternet formation or as pre-knowledge not found symmetric/indirect enhancement of symmetric method by aggregating enhancement neighboring info collected by neighbor as its own Tampering the topology of whole network is sent to one node through network-wide discovery some intermediate nodes Tampering, DoS leader selection Manual Leader is defined manually. mutual voting leader is selected through voting between each other change votes comparison betweensuper master is selected from master of formed piconet based master on some criteria change value of criteria Piconet formation Distributed-symmetric distributed-asymmetric node switch between page and page-scan, each node compete for master useless connection node decided its role by statistical function, and do not change its role useless connection Centralized the role of master is decided by leader-selection or topology calculation done in coordinator DoS the topology betweens clusters (piconets) is decided bytopology attack, DoS, Scatternet formation Centralized electing super master wrong info Distributed each piconet try to connects to several neighboring piconet topology attack, wrong info Topology Tree hierarchical tree point of failure scatternet is formed through connection between piconet, mesh(something of star) which results in not found