Secure Multi-Hop Infrastructure Access presented by Reza Curtmola - - PowerPoint PPT Presentation

secure multi hop infrastructure access
SMART_READER_LITE
LIVE PREVIEW

Secure Multi-Hop Infrastructure Access presented by Reza Curtmola - - PowerPoint PPT Presentation

Oct 11, 2023 169 likes •532 views

Secure Multi-Hop Infrastructure Access presented by Reza Curtmola (joint work with B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens) 600.647 Advanced Topics in Wireless Networks Wireless Infrastructure Access Few pure wireless peer

slide-1
SLIDE 1

Secure Multi-Hop Infrastructure Access

presented by Reza Curtmola

(joint work with B. Awerbuch, D. Holmer, C. Nita-Rotaru and H. Rubens)

600.647 – Advanced Topics in Wireless Networks

slide-2
SLIDE 2

Wireless Infrastructure Access

  • Few pure wireless peer to peer apps yet

(primarily emergency deployments)

  • Un-tethered infrastructure access has been

the wireless killer app (countless variations)

– Voice communication – Internet access – Local area network access – Data gathering sensor networks – Peripherals (headphones, mice, keyboards)

slide-3
SLIDE 3

Single-Hop vs. Multi-Hop

  • Advantages

– Well established – Lower Complexity

  • Issues

– Limited coverage

  • Range
  • Quality (gaps)
  • Advantages

– Increased Coverage – Enhanced performance – Reduced Deployment Cost – Overall Flexibility

  • Challenges

– Routing protocol – Mobility – Scalability

slide-4
SLIDE 4

Infrastructure Access Security

  • Single-Hop

– Many years to develop current state of the art

  • 1997 – WEP
  • 2003 – WPA
  • 2004 – 802.11i / WPA2

– Still outstanding issues? (see NDSS 2004 paper)

  • Multi-Hop

– Introduces a set of additional security concerns – Existing work focuses only on the security of the ad hoc scenario

slide-5
SLIDE 5

Network Model

Gateway Authorized Node Adversary Revoked Node

slide-6
SLIDE 6

Protocol Design Goals

  • Security comparable to single-hop state of

the art protocols

  • Additional protection against multi-hop

routing attacks

– Black Hole – Flood Rushing – Wormhole

  • Efficient protocol operation

– Symmetric cryptography – Scalable user management

slide-7
SLIDE 7

Adversarial Model

  • Access Point

– is trusted – able to establish trust relationships with authorized nodes

  • Authenticated nodes are trusted to perform

the protocol correctly

  • Adversaries are unauthenticated nodes

– Perform arbitrary attacks (e.g. drop, inject or modify packets) – May collude to perform stronger attacks (e.g. tunnel packets)

slide-8
SLIDE 8

Our Solution

  • Take an existing solution: Pulse protocol

[Infocom ‘04, Milcom ‘04, WONS ‘05]

– Multi-hop routing protocol – Optimized for many-to-one communication pattern – High Scalability

  • Mobility
  • Number of nodes
  • Number of flows
  • Build security mechanisms into it
slide-9
SLIDE 9

Pulse Protocol Example

slide-10
SLIDE 10

Pro-active Spanning Tree

slide-11
SLIDE 11

Node Wishes to Communicate

slide-12
SLIDE 12

Sends Packet to Gateway

slide-13
SLIDE 13

Cryptographic Protection

  • Participating nodes share a network wide

symmetric key NSK

– Used to secure the routing service – Established and maintained using a broadcast encryption scheme (BES)

  • Source and destination use per flow unicast

key (UK) to protect data payload

routing headers data payload seq number HMACNSK ENSK EUK

slide-14
SLIDE 14

Secure Reliability Metric

  • Secure ACKs are required for each data

packet traversing a link

  • Protocol gathers history of ACK failures
  • Link weights inversely proportional to

reliability

  • Strategy is similar to ODSBR [WiSe ’02]
slide-15
SLIDE 15

Network Model

Gateway Authorized Node Adversary Revoked Node

slide-16
SLIDE 16

Adversarial Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 3 2

slide-17
SLIDE 17

Adversarial Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 3 2

slide-18
SLIDE 18

Adversarial Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 3 2 1

slide-19
SLIDE 19

Adversarial Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 3 2 1

slide-20
SLIDE 20

Adversarial Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 2 1.1 3

slide-21
SLIDE 21

Adversarial Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 3 2 1.1 1

slide-22
SLIDE 22

Wormhole Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 2 3

slide-23
SLIDE 23

Wormhole Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 2 1 2 3 1

slide-24
SLIDE 24

Wormhole Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 2 1 2 3 1.1 …

slide-25
SLIDE 25

Wormhole Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 2 1 2 3 3.1

slide-26
SLIDE 26

Wormhole Avoidance Example

Gateway

1 1 2 2 1 1 2 2 2 2 3 2 3 3 2 3 3.1

slide-27
SLIDE 27

Attack mitigation

  • Injecting, modifying packets – use of NSK
  • Replay attack – use of nonces
  • Flood rushing – protocol relies on the

metric, and not on timing information

  • Black hole – unreliable links are avoided

using metric

  • Wormhole – creation is not prevented, but it

is avoided using metric

slide-28
SLIDE 28

Key Management

  • Assumption: each node has a unique

pre-established shared key PSK with the gateway

  • Goal: to efficiently manage the Network Shared

Key (NSK)

– Selected and maintained by the gateway – Add/revoke users – Periodically refreshed Manually entered as in WEP or WPA / WPA2 personal mode Automatically generated by interaction with an authentication server as in 802.1x / EAP

  • r
slide-29
SLIDE 29

Broadcast Encryption Scheme

  • Center broadcasts a message
  • Only a subset of privileged (non-revoked)

users can decrypt it

  • Our requirements:

– Allows unbounded number of broadcasts – Any subset of users can be defined as privileged – A coalition of all revoked users cannot decrypt the broadcast

slide-30
SLIDE 30

Subset Cover Framework

  • CS or SD [Crypto ’01], LSD [Crypto ’02]
  • The set of privileged users is represented as the

union of s subsets of users

  • A long-term key is associated with each subset
  • A user knows a long-term key only if he belongs

to the corresponding subset

  • Center encrypts message s times under all the

keys associated with subsets in the union

  • LSD Properties

– Each node stores O(log3/2(n)) keys – O(r) message size – O(log(n)) computation at each node

slide-31
SLIDE 31

Node Management

  • Node addition

– Using PSK, a node obtains from the gateway the current NSK and the set of secrets for the BES

  • Node revocation / NSK refresh

– Gateway generates a new NSK – Gateway broadcasts encrypted NSK such that

  • nly non-revoked nodes are able to decrypt it

– Scalability advantage over Group Key management in 802.11i which is O(n)

slide-32
SLIDE 32

1 3 6

Complete Subtree

1 3 2 7 6 5 4 15 14 13 12 11 10 9 8

  • Broadcast: EK2(KEK), EK7(KEK), EK12(KEK), EKEK(NSK’)

U1 U2 U3 U4 U5 U6 U7 U8 12 2 7

slide-33
SLIDE 33

Conclusion

  • Protocol provides multi-hop infrastructure

access

  • Efficient, lightweight security

– Entirely based on symmetric cryptography – Prevents a wide variety of attacks – Leverages infrastructure for trust establishment

slide-34
SLIDE 34

Real World Implementation

  • Completed Features

– Linux Kernel Module with 2.4 and 2.6 compatibility

  • Operates at layer 2
  • Distributed virtual switch architecture provides seamless bridging

– Pulse Protocol

  • Shortcuts and gratuitous reply
  • Instantaneous loop freedom
  • Fast parent switching (with loop freedom)
  • Medium Time Metric route selection metric (WONS 2004)

– 50 Nodes deployed across JHU Campus

  • Tested with Internet Access, Ad hoc Access Points, Voice over IP
  • Mobility tested at automobile speeds
  • In Progress

– Security – (NDSS Workshop 2005)

  • Flood Rushing, Wormholes, Black holes, any NON-Byzantine attack
  • In kernel crypto implementation

– Leader Election Algorithm

  • Fault tolerance, switches pulse source to most accessed destination
  • Handle merge and partition

– Efficient Tree Flooding

  • Similar to expanding ring search but with no duplicates