Security in Ad-hoc Networks

Size: px

Start display at page:

Download "Security in Ad-hoc Networks"

Oliver Tyler
6 years ago
Views:

1 1(12) Security in Ad-hoc Networks Anne Vanhala University of Helsinki Department of Computing Science Research seminar on Security in Distributed Systems Abstract A short-range wireless channel has security problems that differ from those of more conventional networks. This paper presents first the general features of ad-hoc networks. Characteristic security issues in ad-hoc networks will be enlightened next. Finally, an example of a short-range wireless network will be presented. The Bluetooth standard is described shortly as well as the found weaknesses in its security. 1. Introduction Cell phones as a means of managing the life of people will increase their popularity. These phones promise to extend the possibilities of commerce that in connections with cell phones is called mobile commerce, or shortly m-commerce. Mobile commerce will make commerce platforms more important, because in that way electronic and mobile commerce transactions will be open for wide markets. An important step towards the development and penetration on m-commerce is the employment of short-range wireless local area networks, such as Bluetooth. Also the consumer electronics has a tendency of having an embedded microprocessor in every device. This embedded networking is also suitable for Smart Information Services like alarms, electronic business cards etc. Shortly, networking will become more and more general. The principles of Wireless Local Area Network (WLAN) were defined in standard IEEE that was concluded in the end of 1997 [12]. It defines two different topologies: adhoc network and infrastructure network. An infrastructure network is an enlargement of a fixed network, where mobile devices can be connected to fixed network. An ad-hoc network is independent and it can consist of mobile devices supplied with cordless

2 2(12) adapters to network. These mobile devices form a point-to-point connection to every single device in this particular network Therefore an ad-hoc network is able to use only created wireless connection instead of fixed infrastructure. Wireless Local Area Network (WLAN) is sometimes called also as ad hoc network. Using radio frequency in WLAN brings us a problem of receiving signals inside the WLAN and weak signals in its near surrounding. This can be limited by using Frequency Hopping Spread Spectrum (FHSS), where frequencies vary randomly. WLAN based on microwave techniques have similar problems. Only WLAN based on infrared technique is secure in this sense, because the radiation cannot pass through walls. Generally, WLAN has more tendency to eavesdropping than fixed LAN. This paper can be divided into three main chapters in addition to introduction and conclusion. The first main chapter gives an overview of ad-hoc networks. Some ad-hoc networks are mentioned, and in third main chapter the security issues of an ad-hoc network named Bluetooth will be presented. The second main chapter enlightens the general security issues of an ad-hoc network. 2. Overview of Ad-hoc Networks Ad-hoc networks have characteristics that differ from those of more conventional networks. These networks have a short range of wireless channel. Some of the common features for such networks are that there is only little or no support infrastructure. This lack of infrastructure introduces problems in routing, name resolution, service discovery and security [1] [2]. The trust in the prior context of security can be transferred and transformed when providing security services. There is also absence of an online server that has its influence on security. In addition to all these the battery operated personal devices have constraints such as a peanut CPU, battery power and high latency. This may cause trade-off between security and constraints mentioned above. Several groups have built up their networks emphasizing different aspects such as Piconet [3], HomeRF [4], IrDA [5], Bluetooth [6,7,8] and IEEE 802 [12]. IrDA is based on infrared technology and the others use radio frequency. The comparison of wireless radio is presented in table 1. Piconet is a general purpose, low-powered, ad-hoc network, where security issues have not yet been of significant interest in designing and implementation. Piconet is a project at Olivetti and Oracle Research Laboratory (ORL). Its goal was to understand the provision of wireless connectivity. A Piconet node has been developed to provide a connection to this embedded network. It allows two devices near each other to interoperate. These devices can be either mobile or fixed. The range is said to be reasonably short.

3 3(12) Table 1: Wireless radio comparison. The HomeRF Shared Wireless Access Protocol (SWAP) system is designed to carry both voice and data traffic and to inter-operate with the Public Switched Telephone Network (PSTN) and the Internet. The SWAP system can operate either as an ad-hoc network or as a managed network under the control of Connection Point. Connection Point is required to coordinate the system. In an ad-hoc network that supports only data communication all stations are equal and control of network is distributed between the stations. The range covers typical home and yard. Therefore especially different consumer electronic devices use SWAP. Infrared Data Assosiation s IrDA is based on technology similar to the remote control devices such as TV and entertainment used in most home today. IrDA Data is recommended for high-speed short range, point-to-point cordless data transfer. IrDA Control is recommended in-room cordless peripherals to host-pc. The range of physical IrDA Data signaling for continuous operations is from contact to at least 1 meter, but also 2 meters can normally be reached. The range of physical IrDA Control signaling is minimum 5 meter between infrared remote control units. Infrared has advantage over radio because of the maturity of infrared technology and standardization activities. The line-of-sight requirement of infrared restricts its flexibility and is clearly disadvantage. Bluetooth is a recently proposed standard for local wireless communication of devices. It promises a variety of improvements over current functionality (hands-free communication and effortless synchronization). It allows communication between portable and fixed devices by using short-range wireless methods. These wireless local

4 4(12) area networks can be of permanent or temporary nature. Bluetooth can be used in mobile devices like mobile computers, mobile phones, network access points printers and virtually any other device that can have Bluetooth radios integrated into them. More detailed information in the context of security is given in chapter Security issues in ad-hoc Network Ad-hoc networks have same security issues as infrastructure networks. The emphases on these issues just differ from those of more conventional systems. These issues are denial of service, the goals of authentication and the problem of naming. The denial of service is a part of the availability of a service. The goals of authentication have to be set differently. This includes also naming. These issues are handled in chapter 3.2. In this chapter the master device, later only master, is the one that have a control over other devices called slaves. There can mostly be seven slaves to be controlled by one master. And a master can be a slave of another master [1]. 3.1 Availability Availability means that the service is offered to the user when it is requested. The nondelivery of a service has a great meaning to user. The denial of a service can be caused by such legitimate ways as a radio jamming or battery exhaustion. An attacker can cause a radio jamming by jamming a wider frequency band and in that way using more power. The latter can be of real threat, because once a battery runs out the attacker can walk away and leave the victim disabled. This kind of technique is called as the sleep deprivation torture attack [1]. 3.2 Authenticity From the security point of view the ad-hoc network has a fundamental problem: there are no online servers [1] [2]. A centralized administrator takes usually care of authorization mechanism. The interaction with the administrator can be expensive and time-consuming. The mechanism can anyway be implemented by access control lists or capabilities like signed certificates. The length of valid period concerning access control lists and capabilities has influence on convenience. Some trade-off between them has to be made. Stajano and Anderson [1] have presented The resurrecting duckling security policy, in which they emphasize uniqueness of a master. In this paper a slave has two exclusive states: imprinted and imprintable. The master controls his slave and they are bound to

5 5(12) together with a shared secret that is originally transferred from master to slave over a nonwireless, confidential and integrated, channel. The slave is imprinted and made imprintable by his master. The slave becomes imprintable as a consequence of conclusion of a transaction or by an order of his master. An example of this policy is the usage of a thermometer. The thermometer is calibrated once in six months. A doctor picks up any valid thermometer and wants it to communicate with e.g. her palmtop in order to receive the measured result. After this action the thermometer is free to be used by any other doctor. The original The resurrecting duckling security policy was extended to cover also a peer-to-peer interaction [9]. In the extension a master can also be a human in addition to devices. In case of human master he can imprint the slave device by typing a PIN. A master can also be a millimeter-sized dust mote of which a system is consist of. There are a lot of dust motes in monitored area and each of them has battery, solar cell, sensors and some digital computing equipment. It may also have an active transmitter and receiver. These can be used in military purpose. Another feature of this extension is that the master does not have to be unique. The slave can be imprinted also by another master that has a credential valid to that slave at the moment. The slave has a principle master, but it can receive some kind of orders also from other masters. In extension of the resurrecting duckling model the master can upload a new policy in slave, too. The key agreement is of significant importance when a secure transient association is to be guaranteed [2]. This will happen best when the key management is done locally. In case of ad-hoc network the location is more relevant as the name space. In order to implement location-based key agreement successfully a set of labels to map the location as well as identity-based mechanism for key agreement is needed. Yet there are problems that have to be solved. First, there might be multilevel certificate hierarchy and second, the sent certificate can be cancelled. In order to tackle these problems a physically secure channel or a trusted 3 rd party can be used if only it is available. A generic protocol for password authenticated key exchange is presented in figure 1 [2]. The two parties M and S share a weak secret P. The goal of this protocol is to agree a strong session key K in spite of weak P. In first step a master sends his identifier and an encrypted weak secret to slave. In second step the slave extracts E M and generates R randomly. R is encrypted with E M and returned back to master. In third step the R is extracted and challenge M and S M are generated. They are encrypted by R and sent back to slave. In forth step slave extracts challenge M and computes h(challenge M). Slaves own random strings challenge S and S S are generated and encrypted with h(challenge M) using R as a key. These will be sent back to master that in fifth step verifies the given h(challenge M) to be what it is claimed to be. The master can be convinced that slave can extract challenge M. This is possible only if the slave knows the used weak secret. The protocol can be extended to multi-party protocol. In that case S functions are also used to generate strong session key K. Other parties knowledge of K have to be confirmed.

6 6(12) Figure 1: Protocol for password authenticated key exchange. 3.3 Integrity Integrity is close to authenticity. By the integrity is meant that no node has been maliciously changed [1]. In case of integrity there are similarities between that of ad-hoc network and that of more conventional systems. Integrity has to be preserved. As certificate and identities are not secret, it is possible to clone a device. By securing the public key and letting only the device to know his private key it is possible to use the certificate in sensible way. The device has to be tamper-proof, so that his private key cannot be read out and used in a fake device. To best way to avoid attacks is to try to make the node tamper-proof, which is not simple at all. Anderson [11] has in his paper Tamper Resistance a Cautionary Note stated the importance and necessity of design security systems more carefully. The systems have to be tested also against hostile attackers. The physical tamper-evidence mechanisms are often more suitable. The tampering itself can be more than changing a code or key. It can also be a direct attack to a device. The software has to be able to be uploaded into nodes. This has to be possible also after deployment. If a part of the core code of the node is tamper-proof uploading an infiltrating of malicious code can be done.

7 7(12) 3.4 Confidentiality It is essential that the right master will be ensured as a first action. If this is left undone, there is no point to secure the communication with an arbitrary master. So when the authenticity is done properly the confidentiality is taken care by encrypting. 3.5 Privacy Ad-hoc networks have a higher tendency to eavesdropping than more conventional ones. Specially, if the key agreement is not done with a suitable protocol, anyone can listen it and determine the information needed for authentication. 4. An example of an ad-hoc network: Bluetooth The Bluetooth technology provides peer-to-peer communications for both mobile and fixed devices that use short-range wireless networks [6] [7] [8]. These transmissions can take place in a business and home environment. Bluetooth can form both permanent and temporary wireless local area networks. The signal interference is avoided by frequency hopping spread spectrum. The Bluetooth system is also a cost-effective solution, because it operates in the 2.4 Ghz ISM (Industrial, Scientific and Medical) radio frequency band that is license free in almost every country. It doesn t consume much power and there can be several access points in the same area. The basic objectives for security were to provide means for a secure link layer. From the authentication of entities point of view this means that the devices have to be identified and access control has to be solved. From the link s point of view enabling privacy in multi-access channel was an objective, but not an easy one, because eavesdropping is easy. What the Bluetooth does not do is securing end-to-end links. As Bluetooth specification 1.0 B was published just year ago, it consists of some shortcomings in security. These weaknesses concern attacks to determine the key exchange of two victim devices and attacks on location some to mention. In the following subchapters security weaknesses of Bluetooth are being presented. 4.1 Architectural overview The architectural overview of Bluetooth is presented in figure 2. In order to guarantee the confidentiality the system has to provide security measures both at the application layer and the link layer. This means that the authentication and the encryption routines have to

8 8(12) be implemented in same way in each Bluetooth device. There are four different entities used for maintaining the security at the link layer. First one of them is a Bluetooth device address which is unique for each user, but it is not a secured identity. Its size is 48 bits. The second one of them is a private user key, which is used for authentication. Its size is 128 bits. The third one of them is a private user key that is used for encryption. Its size varies from 8 to 128 bits. The authentication key is different from encryption key although the latter is created from the former one. The fourth entity is a random number, which can be derived from random or pseudo-random process in the Bluetooth device. This number will change frequently. Figure 2: Architectural overview. 4.2 Key types The link key is a 128-bit random number that is shared between two or more parties [6]. It is used in the authentication routine. It is one of the parameters when the encryption key is derived. The hierarchy of key types is presented in figure 3. The link key is either temporary or semi-permanent. The lifetime of a temporary key is same as the lifetime of a session. In a point-to-multi-point configuration, where the same information is to be distributed to several recipients, a common encryption key is useful. A special link key, here master key, can temporarily replace the current link keys. With master s random number and master key the slaves can generate a new encryption key.

9 9(12) Figure 3: Key types. When the link key is semi-permanent, it may be used several times. The combination key and the unit key are functionally indistinguishable for the device. They are just generated differently. The unit key is generated in a single device. It is done only once at the installation of the device and therefore changes rarely. The combination key is derived from information of two devices and is always dependent of those two communicating devices. It is derived for each new combination of two devices. When higher security level is wanted it is preferable to use combination key. In case device has only little memory to store keys or the device must be accessible to a large group of users it is better to use unit key [6]. The initialization key is used as a link key, when there is not yet unit key or combination key defined. It is derived from random number, a PIN code and the unique address of the claimed device. This key is used only during the initialization [6]. The encryption key is derived from the current link key. It is changed automatically whenever the encryption is activated. The other two parameter for generating a encryption key are 96-bit Ciphering Offset number (COF) and a 128-bit random number. COF is derived master s device address [6]. 4.3 Determination of key exchange The first time connection and pairing is presented in figure 4. The corresponding non-first time connection is presented in figure 5. According to the specification of Bluetooth there are two different ways of establishing the key exchange. The first protocol is used, when

10 10(12) there is not enough memory recourses in either of devices to run the second protocol. The second protocol is run unless either of devices requests for the first protocol. When using the first protocol there is only limited number of keys stored by the device. The unit key of device is used instead as a link key that is a temporary symmetric key lasting from one to several sessions. Figure 4: Link setup at first time connection. In the second protocol the link key is selected from the unit keys. Two devices select their own initialization keys and these are to functions as an address of either one. In addition to that a PIN and a random number for each device are needed. The link key will be computed as a function of those two random numbers. Figure 5: Link setup for non-first time connections. By listening the channel attacker, who is able to eavesdrop, can determine the initialization key and compute the link key. Link keys are the basis of encryption keys, so this enables attacker to impersonate devices, read s etc. These situations can be avoided by lengthening the PIN and protecting the unit keys by choosing large enough set

11 11(12) of keys. One should also defend itself against middle-person attacks both in application layer and deploying policies against them. 4.4 Location attack According to assumption the attacker has Bluetooth-enabled devices over a city. The attacker tries to initiate the communication with all reachable devices. Once a device responds the identity of that device will be recorded by an attacker. The identity of the device can also be obtained, if they respond to the communication requests of strange devices (that means attackers). In a well-chosen location e.g. airport gates a users identity can be found out by connecting obtained side information to transactions, e.g. mobile paying and subscriber. The means to avoid a location attack is to use pseudonyms at the time of the first key exchange or right after the communication is initialized. 5. Conclusion The ad-hoc networks have no or only little support infrastructure and therefore they are of a special nature. This makes different aspects of security more important than in more conventional systems. The goals of authentication and the problems of naming and location are important issues in ad-hoc networks. The resurrecting duckling security policy with the key agreement in ad-hoc networks is a good solution for ad-hoc networks in general [1][2][9]. The problem is, how to establish a connection at the first time, when there is no shared secret known by other devices. An interesting standard of Bluetooth has its shortcomings in the area of security. It does not guarantee end-to-end security, but the security at the link layer is given. Using the first protocol is not preferable at all. Also the high probability of location attack makes it wonder if this technology is mature enough to be used. Especially, when money transactions are made and transactions concerning somebody s life is depending on it, the usage of this technology is not the best one. The usage of unlicensed spectrum of ISM does not speak for itself although it has a great and advantages influence in price. To the Bluetooth is set ambitious target to win a gold medal in Europe. Time will show if this target will be achieved and when will it happen.

12 12(12) 6. References [1] Frank Stajano, Ross Anderson. The resurrecting duckling: Security issues for ad-hoc wireless networks. In Proceedings of the 7 th International Workshop on Security Protocols, Lecture Notes in Computer Science. Springler-Verlag, Berlin, Germany, April Available from [2] N. Asokan, Philip Ginzboorg. Key agreement in ad hoc networks. Computer Communications 23 (2000) [3] Frazer Bennett, David Clarke, Joseph B. Evans, Andy Hopper, Alan Jones, David Leask. Piconet: Embedded Mobile Networking. IEEE Personal Communications, 4(5):8-15, October [4] HomeRF Working Group. [5] Infrared Data Association. [6] Specification of the Bluetooth System, specification Volume 1, v.1.0 B, December 1, See [8]. [7] Specification of the Bluetooth System, specification Volume 2, v.1.0 B, December 1, See [8]. [8] Bluetooth SIG. [9] Frank Stajano. The resurrecting duckling What next?. In Proceedings of the 8 th International Workshop on Security Protocols, Lecture Notes in Computer Science. Springler-Verlag, Berlin, Germany, April Available from [10] Markus Jakobsson, Susanne Wetzel. Personal communication. [11] Ross Anderson and Markus Kuhn. \Tamper Resistance - A Cautionary Note". In Proc. 2nd USENIX Workshop on Electronic Commerce", ISBN [12] The Wireless LAN Alliance: The IEEE Wireless LAN Standard.

Bluetooth. March 28, 2005 Patrick Lui

Bluetooth. March 28, 2005 Patrick Lui Bluetooth March 28, 2005 Patrick Lui 0053252 1. Introduction As our everyday lives move closer towards complete digital age, connectivity between devices is an important aspect that has not been emphasized