Secure Multi-Hop Infrastructure Access

Transcription

1 Secure Multi-Hop Infrastructure Access presented by Reza Curtmola (joint work with B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens) Advanced Topics in Wireless Networks

2 Wireless Infrastructure Access Few pure wireless peer to peer apps yet (primarily emergency deployments) Un-tethered infrastructure access has been the wireless killer app (countless variations) Voice communication Internet access Local area network access Data gathering sensor networks Peripherals (headphones, mice, keyboards)

3 Single-Hop vs. Multi-Hop Advantages Well established Lower Complexity Issues Limited coverage Range Quality (gaps) Advantages Increased Coverage Enhanced performance Reduced Deployment Cost Overall Flexibility Challenges Routing protocol Mobility Scalability

4 Infrastructure Access Security Single-Hop Many years to develop current state of the art 997 WEP 00 WPA i / WPA Still outstanding issues? (see NDSS 004 paper) Multi-Hop Introduces a set of additional security concerns Existing work focuses only on the security of the ad hoc scenario

5 Network Model Gateway Authorized Node Adversary Revoked Node

6 Protocol Design Goals Security comparable to single-hop state of the art protocols Additional protection against multi-hop routing attacks Black Hole Flood Rushing Wormhole Efficient protocol operation Symmetric cryptography Scalable user management

7 Adversarial Model Access Point is trusted able to establish trust relationships with authorized nodes Authenticated nodes are trusted to perform the protocol correctly Adversaries are unauthenticated nodes Perform arbitrary attacks (e.g. drop, inject or modify packets) May collude to perform stronger attacks (e.g. tunnel packets)

8 Our Solution Take an existing solution: Pulse protocol [Infocom 04, Milcom 04, WONS 05] Multi-hop routing protocol Optimized for many-to-one communication pattern High Scalability Mobility Number of nodes Number of flows Build security mechanisms into it

9 Pulse Protocol Example

10 Pro-active Spanning Tree

11 Node Wishes to Communicate

12 Sends Packet to Gateway

13 Cryptographic Protection Participating nodes share a network wide symmetric key NSK Used to secure the routing service Established and maintained using a broadcast encryption scheme (BES) Source and destination use per flow unicast key (UK) to protect data payload seq number routing headers data payload HMAC NSK E NSK E UK

14 Secure Reliability Metric Secure ACKs are required for each data packet traversing a link Protocol gathers history of ACK failures Link weights inversely proportional to reliability Strategy is similar to ODSBR [WiSe 0]

15 Network Model Gateway Authorized Node Adversary Revoked Node

16 Adversarial Avoidance Example Gateway

17 Adversarial Avoidance Example Gateway

18 Adversarial Avoidance Example Gateway

19 Adversarial Avoidance Example Gateway

20 Adversarial Avoidance Example Gateway.

21 Adversarial Avoidance Example Gateway.

22 Wormhole Avoidance Example Gateway

23 Wormhole Avoidance Example Gateway

24 Wormhole Avoidance Example Gateway.

25 Wormhole Avoidance Example Gateway.

26 Wormhole Avoidance Example Gateway.

27 Attack mitigation Injecting, modifying packets use of NSK Replay attack use of nonces Flood rushing protocol relies on the metric, and not on timing information Black hole unreliable links are avoided using metric Wormhole creation is not prevented, but it is avoided using metric

28 Key Management Assumption: each node has a unique pre-established shared key PSK with the gateway Manually entered as in WEP or WPA / WPA personal mode or Automatically generated by interaction with an authentication server as in 80.x / EAP Goal: to efficiently manage the Network Shared Key (NSK) Selected and maintained by the gateway Add/revoke users Periodically refreshed

29 Broadcast Encryption Scheme Center broadcasts a message Only a subset of privileged (non-revoked) users can decrypt it Our requirements: Allows unbounded number of broadcasts Any subset of users can be defined as privileged A coalition of all revoked users cannot decrypt the broadcast

30 Subset Cover Framework CS or SD [Crypto 0], LSD [Crypto 0] The set of privileged users is represented as the union of s subsets of users A long-term key is associated with each subset A user knows a long-term key only if he belongs to the corresponding subset Center encrypts message s times under all the keys associated with subsets in the union LSD Properties Each node stores O(log / (n)) keys O(r) message size O(log(n)) computation at each node

31 Node Management Node addition Using PSK, a node obtains from the gateway the current NSK and the set of secrets for the BES Node revocation / NSK refresh Gateway generates a new NSK Gateway broadcasts encrypted NSK such that only non-revoked nodes are able to decrypt it Scalability advantage over Group Key management in 80.i which is O(n)

32 Complete Subtree U U U U 4 U 5 U 6 U 7 U 8 Broadcast: E K (KEK), E K7 (KEK), E K (KEK), E KEK (NSK )

33 Conclusion Protocol provides multi-hop infrastructure access Efficient, lightweight security Entirely based on symmetric cryptography Prevents a wide variety of attacks Leverages infrastructure for trust establishment

34 Real World Implementation Completed Features Linux Kernel Module with.4 and.6 compatibility Operates at layer Distributed virtual switch architecture provides seamless bridging Pulse Protocol Shortcuts and gratuitous reply Instantaneous loop freedom Fast parent switching (with loop freedom) Medium Time Metric route selection metric (WONS 004) 50 Nodes deployed across JHU Campus Tested with Internet Access, Ad hoc Access Points, Voice over IP Mobility tested at automobile speeds In Progress Security (NDSS Workshop 005) Flood Rushing, Wormholes, Black holes, any NON-Byzantine attack In kernel crypto implementation Leader Election Algorithm Fault tolerance, switches pulse source to most accessed destination Handle merge and partition Efficient Tree Flooding Similar to expanding ring search but with no duplicates