Achieving security in Wireless Mesh Networks Abhishek Gautam Armaan Goyal
advertisement
CSE 703 – Wireless Network Security – Principles and Practices
Dept. of Computer Science and Engineering
Achieving security in Wireless Mesh Networks
Abhishek Gautam
Armaan Goyal
Wireless Mesh Networks (WMNs)
• Rising technology - offering low-cost high bandwidth
community services that support several vital applications.
• Examples of such applications:
• Provisioning of internet access in rural areas
• City-wide security surveillance
• Information services in public transportation systems.
• Emergency and disaster recovery operations.
• High-speed wireless metropolitan area networks (WMANs)
Where are WMNs being used currently?
• U.S. Military are now using wireless mesh networking to
connect their computers, mainly ruggedized laptops, in field
operations.
• The laptops in the One Laptop per Child program use wireless
mesh networking to enable students to exchange files and get
on the Internet even though they lack wired or cell phone or
other physical connections in their area.
Components of a
WMN:
The three tier
Architecture
•
•
•
•
MR – Mesh Router
MC/WC – Mesh Client or
Wireless Client
IGW/GWN – Internet
Gateway Router or
Gateway Node
BS – Base Station
Routing techniques in Mesh Networks
• Routing happens on similar grounds as in an IP
network.
• A number of nodes take part in the data forwarding
process and hence the routing is based on
multicasts.
• A mesh-based multicast protocol is used that
connects multiple sources and receivers.
• Path selection is done on the basis of routing
metrics just like in simple IP networks. Metrics will
be discussed later.
Design Concerns in Multicast Routing
• Transmissions in multicast are less consistent than
in unicast for several reasons.
• Unicast communications are sent reliably, using
link-layer unicast transmissions (involves link layer
acknowledgements)
• They also involve the RTS/CTS mechanism
• Multicasts are sent unreliably using link-layer
broadcast (no acknowledgements) and there is no
RTS/CTS mechanism involved.
Move to High-Throughput. How?
• Conventional routing metrics – Hop Count?
• Hop Count was used in Internal Gateway Routing
Protocols like RIP.
• Best path? – One containing the least number of
hops to destination.
• Scalable? – No. EIGRP and OSPF took over RIP.
• Talking about WMNs, when the metric is hop count,
the paths are likely to include lossy wireless links.
• Focus has shifted to High-Throughput – choose paths
depending on the quality of wireless links. The
Metric!
So how to achieve HT Multicast Routing in WMNs?
• ODMRP takes care of this.
• ODMRP stands for On-Demand Multicast Routing
Protocol.
• It is a multicast routing protocol for WMNs which
uses a mesh of nodes for each multicast group.
• Nodes are added to the mesh through a route
selection and activation protocol.
ODMRP Terminologies
• Node – A device that participates in multicast group
• Neighbor – Nodes that are within the radio transmission range.
• Forwarding group - A group of nodes participating in multicast
packet forwarding.
• Multicast mesh - The topology defined by the link connection
between forwarding group members.
• Join query – The special data packet sent by multicast sources
to establish and update group memberships and routes.
• Join reply - The table broadcasted by each multicast receiver
and forwarding node to establish and update group
membership and routes
ODMRP - Working
• The source periodically recreates the mesh by flooding a Join
Query message in the network in order to refresh the
membership information and update the routes.
• Join Query messages are flooded using a basic flood
suppression mechanism, in which nodes only process the first
received copy of a flooded message
• When a receiver node gets a Join Query message, it activates
the path from itself to the source
• Receiver broadcasts a Join Reply message that contains entries
for each multicast group it wants to join; each entry has a next
hop field filled with the corresponding upstream node
ODMRP - Working
• When an intermediate node receives a Join Reply message, it
checks for its own identifier.
• This helps it to know whether it is on the path to the source or
not, by checking if the next hop field of any of the entries in
the message matches its own identifier.
• If so, it makes itself a node part of the mesh (the Forwarding
Group) and creates and broadcasts a new Join Reply built upon
the matched entries
• Once the Join Reply messages reach the source, the multicast
receivers become connected to the source through a mesh of
nodes (Forwarding Group) which ensures the delivery of
multicast data
ODMRP-HT
• The High Throughput version of ODMRP. Enhance
ODMRP with high-throughput metrics in the path
selection process
• Differs from ODMRP in two respects:
1. Instead of selecting routes based on minimum delay
(which results in choosing the fastest routes),
ODMRP-HT selects routes based on a link-quality
metric
2. ODMRP-HT uses a weighted flood suppression
mechanism to flood Join Query messages instead of
using a basic flood suppression.
Two reasons for vulnerabilities
• Since many of the protocols assume a pre-existing
cooperative relation among the nodes, for
successful working of these protocols, the
participating nodes need to be honest and wellbehaving with no malicious or dishonest intentions
• Two prime reasons for vulnerabilities:
1. The assumption of pre-existing trust relationships
among the nodes
2. The absence of a central administrator
A discussion of various attacks
• We discuss various attacks that can take place in
WMNs categorizing them by different OSI layers.
• We explore the attacks at L1-L4 and the defense
mechanisms associated with them.
• Then we discuss in detail one of the L3 attack i.e.
Sybil Attack and one of the L4 attack i.e. the DoS
attacks.
Layer 1 - Jamming Attacks
• The physical layer is responsible for frequency selection,
carrier frequency generation, signal detection, modulation,
and data encryption
• Jammer is an entity who is purposefully trying to interfere
with transmission (by transmitting RF signals in the wireless
channel) and reception of message across the wireless channel
• As with any radio-based medium, the possibility of a jamming
attack in WMNs is high.
• An adversary can potentially disrupt communication in the
entire network by strategically distributing the jamming
sources.
• Jamming attacks can be more complex to detect if the
attacking devices do not obey the MAC layer protocols
Layer 2 – Passive Eavesdropping
• Multi-hop wireless networks like WMNs are also
prone to internal eavesdropping by the intermediate
hops.
• A malicious intermediate node keeps the copy of all
the data that it forwards without the knowledge of
any other nodes in the network.
• Although passive eavesdropping does not affect the
network, functionality directly, it leads to the
compromise in data confidentiality and data
integrity
Layer 2 – Link Layer Jamming Attack
• Attacker may transmit regular MAC frame headers (with no
payload) on the transmission channel which conforms to the
MAC protocol being used in the victim network.
• Legitimate nodes always find the channel busy and back off for
a random period of time before sensing the channel again.
CSMA/CD (carrier sense multiple access collision detection)
• This leads to the denial-of-service for the legitimate nodes and
also enables the jamming node to conserve its energy.
• These attacks can be effective even if encryption techniques
such as wired equivalent privacy (WEP) and Wi-Fi protocol
access (WPA) have been employed. This is because the sensor
that assists the jammer can still monitor the packet size,
timing, and sequence to guide the jammer.
Layer 2 – Mac Spoofing
• Modifying the MAC addresses in transmitted frames is referred
to as MAC spoofing
• MAC addresses are globally unique. So they have often been
used as an authentication factor or as a unique identifier for
granting varying levels of network privileges to a user. Example
– IDS and ACLs
• Since the identity is compromised, this enables the attacker to
evade intrusion detection systems (IDSs) in the networks.
• An attacker can eavesdrop on the network to determine the
MAC addresses of legitimate devices. This enables the attacker
to masquerade as a legitimate user and gain access to the
network.
Layer 2 – Replay Attack
• An external malicious node (M) eavesdrops on the broadcast
communication between two nodes A and B.
• Later, it can replay the (eavesdropped) messages to gain
access to the network resources.
• The authentication information is replayed where the attacker
M deceives a node B to believe that the attacker is a
legitimate node A.
• Malicious node M, which is an intermediate hop between two
nodes A and B, can keep a copy of all relayed data. It can then
retransmit this data later to gain an unauthorized access to the
network resources
Layer 2 – Replay Attack
Layer 3 - Wormhole
Layer 3 - Wormhole
• Two or more malicious nodes collude together by establishing
a tunnel using an efficient communication medium
• During the route discovery phase of the on- demand routing
protocols, the RREQ (Route Request) messages are forwarded
between the malicious nodes using the established tunnel.
• Consequently, the malicious nodes are added in the path from
the source to the destination
• Once the malicious nodes are included in the routing path, the
malicious nodes either drop all the packets, resulting in
complete denial of service, or drop the packets selectively to
avoid detection.
Layer 3 - Blackhole
Layer 3 - Blackhole
• Leads to denial of service in WMNs
• Also exploits the route discovery mechanism of ondemand routing protocols
• The malicious node always replies positively to a
RREQ, although it may not have a valid route to the
destination
• Almost all the traffic within the neighborhood of the
malicious node will be directed towards the
malicious node, which may drop all the packets,
causing a denial of service.
Layer 3 – Sybil Attack
• Malicious node creates multiple identities in the network, each
appearing as a legitimate node
• Redundancy in the system is exploited by creating multiple
identities and controlling the considerable system resources
• Legitimate nodes assume malicious nodes as regular distinct
network nodes and add these identities to the list of distinct
paths available to a particular destination.
• When packets travel from source to destination, these
intermediate malicious nodes process the packets and can
perform any of the attacks discussed so far.
• Phenomenon of Path Diversity is also diminished and this
results in a poor performance.
Sybil Attack
Sybil Attack Overview: Dimension 1
• Direct Communication
Sybil nodes communicate directly with legitimate
nodes. When a genuine node sends a radio message to
a Sybil node, a malicious devices listens it. Similarly
messages sent from a Sybil node are in fact sent from
a malicious device.
• Indirect Communication
In this version of the attack, no legitimate nodes are
able to communicate directly with the Sybil nodes.
Messages sent to a Sybil node are routed via one of
these malicious nodes, which make up to pass on the
message to a Sybil node.
Sybil Attack Overview: Dimension 2
• Fabricated Identities
The attacker can simply generate random new Sybil
identities. For instance, if each node is identified by a
32-bit integer, the attacker can simply allocate each
Sybil node a random 32-bit value.
• Stolen Identities
If a method is given to identify genuine node
identities, an attacker cannot fabricate new identities.
Then the attacker requires to assign other legitimate
identities to Sybil nodes (Identity theft)
Secure Multicast Routing – Defense against Sybil Attack
• The discussion so far leads us to the question of
achieving secure multicast routing while
accommodating high-throughput metrics.
• A secure version of ODMRP called S-ODMRP is used
to achieve this.
• S-ODMRP assures the delivery of data from the
source to the multicast receivers even in the
existence of Byzantine attackers, provided the
receivers are reachable via non-adversarial paths.
S-ODMRP
• Uses Secure Message Authentication to eliminate
processing non-authenticated messages. This avoids
a variety of attacks
• But what about the attacks on the mesh structure?
• What about the packet dropping attacks?
• These attacks are more challenging to defend when
it comes to HT metrics.
• To defend these attacks, RateGuard technique is
used by S-ODMRP.
RateGuard
• Takes into account PDR(Packet Delivery Ratio)
• Relies on the observation that attackers do not
affect the multicast protocol unless they cause a
drop in the packet delivery ratio (PDR)
• Uses a detection and a reaction approach to work
against these attacks.
• Attacker nodes are detected through a
measurement-based detection protocol component
• Then such nodes are isolated through an accusationbased reaction protocol component.
RateGuard - Measurement-based attack
detection
• Takes in account that whatever the type of attack may be, the
effect of an attack is that data is not delivered at a rate
consistent with the advertised path quality (the claimed one)
• We rely on the ability of honest nodes to detect the
discrepancy between the expected PDR (ePDR) and the
perceived PDR (pPDR).
RateGuard - Measurement-based attack
detection
• A node can estimate the ePDR of a route from the value of the
metric for that route
• the node can determine the pPDR for a route by measuring the
rate at which it receives data packets from its upstream on
that route
• If (ePDR−pPDR) for a route becomes larger than a detection
threshold δ, then nodes suspect that the route is under attack
because the route failed to deliver data at a rate consistent
with its claimed quality
RateGuard - Accusation-based attack reaction
• Uses a controlled-accusation mechanism
• in which A node, on detecting malicious behavior,
temporarily accuses the suspected node by flooding
in the network an Accusation message
• This message contains its own identity (the accuser
node) and the identity of the accused node, as well
as the duration of the accusation
• As long as the accusation is valid, metrics advertised
by an accused node will be ignored and the node
will not be selected as part of the Forwarding Group
RateGuard - Accusation-based attack reaction
• To prevent the abuse of the accusation mechanism
by attackers, a node is not allowed to issue a new
accusation before its previously issued accusation
expires.
• Accused nodes can still act as receivers even though
they are excluded from the Forwarding Group.
Metric Poisoning effect
• In order to deal with the metric poisoning effect
due to metric manipulation attacks, the metric, in
the whole network is refreshed shortly after attack
detection.
• The metric refreshment is achieved automatically
through the periodic JOIN QUERY messages.
S-ODMRP Mesh Creation
• S-ODMRP Mesh is created in the same way as the ODMRP-HT
mesh
• Source node S periodically broadcasts to the entire network a
Join Query message in order to refresh the membership
information and to update the routes
• The Join Query message is signed by S and is propagated using
a weighted flood suppression mechanism
• Nodes only process Join Query messages that have valid
signatures – This is how secured nodes are achieved in a WMN.
S-ODMRP Limitations
• S-ODMRP limits a node to blame at most one other
node at a time. This shows that attacker nodes
should be a minority in the network.
• This means that some attacker nodes will be left
non-accused and will be susceptible to attacks and
deny service to many receivers through metric
manipulation.
• This approach is not usable in Sybil attack scenario
• To overcome this, Random Key Pre-distribution
(RKP) technique is integrated with the S-ODMRP to
defend against the Sybil attacks.
The Defense Mechanism - RKP
• What we really need? – validate that identity of
each node is the only presented by the equivalent
physical node.
• RKP (Random Key Pre-distribution) facilitates the
nodes to create secure links to other nodes.
• RKP works by assigning a random group of keys to
each node. In key set-up phase, each node can
discover the common keys with its neighbors, which
are used as a shared secret session key.
• This ensures node-to-node secrecy
The Defense Mechanism - RKP
• At any time, network is capable of verifying the keys that an
identity claims to possess.
• So there is very slight probability that a fabricated identity will
have a major intersection with key set. Hence it will not pass
the key validation phase.
• Validation can be of two types - Direct and Indirect
• In direct, each node challenges an identity using the
knowledge it possess and takes a decision independent of other
nodes. Thus all nodes may not reach a global decision state
• In indirect, there is a central trusted party that does the
validation.
Direct v/s Indirect
•
•
Direct approach has less
overhead. Messages
exchanged only between two
identities.
Due to the memory constraint
in WMNs, each node has
limited knowledge about the
other node that it could use to
pose a challenge to its
identity. Hence this offers
lower defense performance
•
•
Indirect approach has more
overhead. Messages are
exchanged between the nodes
and the third party (validator)
Indirect validation relies on
the trusted party and hence
this tradeoff doesn’t exist in
this case. Hence offers higher
defense performance.
Another approach – The Key Pool Approach
• This approach randomly assign k keys to each node from a pool
of m keys. If any two neighboring nodes identify that they
share q common keys, they can set up a secret link.
• To use this scheme to defend against the Sybil attack, each
node’s identity is the indices in sorted order of the keys that it
holds
• Ω(ID) = {Kβ1,Kβ2,...,Kβk} is the notation that explains that
this is the set of keys assigned to ID where ID is the identity of
the node and βi is the index of the ith key in the key pool.
• The set of keys that ID possesses is given by: βi = PRFH(ID)(i),
where PRF is a pseudo random function abd H is a hash
function.
The Key Pool Approach
• For an attacker to construct new identities to use in the Sybil
attack, it will need to capture genuine nodes and read off the
keys and thus establish a compromised pool set S.
• The attack will then try to fabricate usable Sybil identities. If
an identity say ID’ passes the initialization phase and becomes
a part of the WMN, it becomes a usable Sybil identity.
• But the verifier can challenge the identity by requesting it to
prove that it possesses the keys it claims to have. It goes by
the rule that, If∃Ki,Ki ∈ Ω(ID′), Ki ∈/ S, and if some legitimate
entity E in the sensor network knows Ki, then E can discover
that ID’ is cheating by challenging ID’ using Ki.
Performance Comparison
Layer 4 Attacks
• The Layer 4- transport layer is susceptible to Denial of Service
attacks, Replay attacks
• We will discuss two security protocols- EMSA and SAE and further a
4 way handshaking mechanism used for authentication
• Suggested measures to secure the 4 way handshaking process using
techniques like periodic updates and key hashing
Mesh Security Systems:
• Security relies on ability to protect message integrity
• Requires guaranteeing confidentiality and authenticity of data
packets
• Can be achieved using a reliable authentication and association
process
• E.g. of attack- Black Hole attack
• To secure network over long haul, use periodic updating of keys(in
detail later)
• Also updated when active attack has been detected
Mesh Security Protocols:
• Two major mesh security protocols- EMSA and SAE
• EMSA-Efficient mesh security association
• SAE-Simultaneous authentication of equals
EMSA for Multigate Networks
• Based on the use of a Mesh Key hierarchy
• Tree based routing scheme is used(Extension of Hybrid wireless
Mesh Protocol)-HWMP
• Master Gateway acts as MA and MKD
• MKD derives keys to create mesh hierarchy
• Stores all MP’s authentication information
• Consists of peer link establishment followed by EAP(Extensible
Authentication Protocol)
• 4 way handshaking for key derivation between every pair of MP
• After Mesh Key Holder Security Handshake(MKHSH), the supplicant
becomes MA
• 4 way handshake results in deriving Pairwise transient key(PTK –
for unicast messages) and (GTK- for multicast messages)
EMSA for Multigate Networks-contd:
• For MP to become an MA, PTK-KD(PTK for Key distribution) has to
be derived from KDK
• Then it starts the same process for one of its children
• If child is already authenticated, only the process of Subsequent
Authentication takes place
• Process of link establishment continues untill each node has PTK,
GTK and PTK-KD
SAE for Multigate Networks:
Single password used by all MPs for authentication
No authentication server is involved unlike EMSA
Any one of the pair can initiate protocol
The parties are referred to as MP-A and MP-B and identified by
MAC addresses
• Before message exchange both will generate PWE based on shared
password and MAC addresses
• Two random numbers rand and mask produced and used to
complete SAE
• After success, both generate a PMK(Pairwise Master Key) used in
the 4 way handshake to derive PTK and GTK
•
•
•
•
Periodic key refreshment strategy
• All key materials are updated at regular intervals
• Achieved by initiating EAP or SAE and 4 way handshaking to get
new keys before expiration of current keys
• In EMSA, lifetime of PMK-MKD (Mesh Key Distributor PMK) and KDK
(Key Distribution Key) shouldn’t be more than that of MSK (Master
Session Key)
• Lifetime of PTK and PMK-MA remains same as that of PMK-MKD
• Lifetime of PTK-KD should be same as that of KDK
• Post expiry of the lifetime, each key holder deletes their
respective keys
• Similar conditions on lifetime occur in SAE where PMK and PTK are
bound to Master PMK
• Upon expiration, MP’s operation ends and resumes after successful
security process
Periodic key refreshment strategy
• Leads to disruption of network if lifecycle of keys is short
• If keys are unchanged for longer time, network becomes
vulnerable to attack
• Hence, keys changed dynamically over regular intervals and in case
of active attack
• To update key materials before expiration, existing routes in the
network must be maintained
• If not, each update will cause fresh routing and association of
involved MPs causing significant delays
Key Updating for EMSA
Key Updating for SAE
Security Improved 4 way handshaking
• Assumption- The PMK is known only to authenticator and
supplicant
• Attacks can occur only before generation of first PTK because of
Link layer data encryption
• Hence it all depends on protecting the integrity of the PTK
• Security is developed and assessed on the assumption of a DoS
attack by the adversary during the 4 way handshake
• The intruder can forge other MP’s MAC addresses, eavesdrop and
forge received messages
• SPA, AA, Snonce and Anonce, represent Mac addresses and nonces
of supplicant and authenticator
• MICPTK{} represents Message Integrity Code
Security Improved 4 way handshaking
• First message is not encrypted, hence it can be tampered with
easily
• 4 way handshake can be disrupted by forging Message 1
• Intruder sends forged Message 1 after Message 2 is sent by
supplicant forcing him to generate a new PTK-different from the
earlier one, hence handshake terminated
• A multiple message DOS attack can exhaust supplicant’s memory
and cause significant delays
Security Improved 4 way handshaking
• DoS attack also possible on Message 3
• If intruder sends a forged Message 3 with a fake RSNE(Robust
Security Network Element), it mismatches with the original RSNE
and handshake terminates
Security measures for 4 way handshake
Two suggested techniques
Merkle-Tree based hashing or a single hash function scheme
Either of the techniques is used to protect both Message 1 and 3
MA can use one way hash function like SHA1 or SHA2
Merkle tree is a binary tree consisting of leaf tokens and internal
nodes
• Each node is the hash of the concatenation of its left and right
children nodes
• Merkle tree with height H has 2^H leaf tokens
• Due to one wayness, computationally impossible to derive leaf
tokens from root of tree
•
•
•
•
•
Security measures for 4 way handshake
• To secure the 4 way handshaking, for Message 1, 2 Merkle trees are
considered
• In the first, MA derives the root and includes it in encrypted
Message 1
• PMK not present in Message 1
• Supplicant received encrypted message and generates the root
itself and then compares with the received value
• Merkle Tree makes it impossible to derive the PMK
• To prevent replay attacks, this tree is never reused
• If 4 way handshaking has to be done again, a new tree is used, a
new root is calculated and encrypted and sent to the supplicant
along with PMK in Message 3
Security measures for 4 way handshake
• For Message 3, AA RSNE can be protected using first Merkle tree in
a similar fashion
• A modification- replace the first Merkle tree by single Hash of
Message 1/Message 3
• Single Hash is not computationally efficient for Authentication
when compared to Merkle tree
• The Merkle has the flexibility to construct the second Merkle tree
which provides safety against replay attacks-not offered by single
hash function
Protocol Verification and Results
• To analyse the flaw of the 4 way handshaking and the resistance of
the proposed Merkle tree, ProVerif is used
• It reconstructs attacks used during the handshake process
• Due to the key refreshment strategy, PMK PTK and GTK are
periodically updated
• More frequent updates means less complex Merkle tree but with
more overhead and delay
• A simulation using three gateways GW 1,2 and 3 is run for the EMSA
and SAE protocols
• A set of MSK/MPMK lifetime values is used to study impact of
overhead caused by periodical refreshment of keys
• Multiple updates for PTK and GTK are performed to mitigate
vulnerability
Protocol Verification and Results
• We can see that when no updates are done, nodes stop communication
on PTK key expiry and EMSA or SAE authentications have to be reinitiated
• The performance is only slightly worse than non secure systems when
keys are periodically refreshed
Protocol Verification and Results
• Without periodical updating EMSA and SAE schemes give the worst
performance because re-initiation of authentication pauses data
transfer and causes overhead
• SAE outperforms EMSA due to lower overhead
• The system performance does not degrade significantly with more
frequent key refreshment
Protocol Verification and Results
• It is evident that after applying Merkle tree based hashing,
performances remain unaffected under DoS attack
• Here PTK GTK and PMK are auto updated after every 200 secs
• For blackhole attack, in SAE, an intruder cannot be excluded from the
network without changing password in all MPs and restarting
Protocol Verification and Results
• For EMSA the system is capable of removing the intruder with the
involvement of authentication server-an advantage over SAE
Conclusion
• Mesh networks are quite popular due to their numerous advantages
but they are susceptible to a variety of attacks
• We discussed layer by layer the attacks that are possible on the
mesh networks
• We discussed in detail- Sybil attacks and defense mechanisms and
then DoS attacks and defense mechanisms for the same
Acknowledgements
The material used in the slides was sourced from the following
papers:
• Smart Grid Mesh Network Security Using Dynamic Key Distribution
With Merkle Tree 4-Way Handshaking by Bin Hu, Senior Member,
IEEE, and Hamid Gharavi, Life Fellow, IEEE - IEEE TRANSACTIONS
ON SMART GRID, VOL. 5, NO. 2, MARCH 2014
• Security and Privacy Issues in Wireless Mesh Networks: A Survey by
Jaydip Sen
• Secure Multicast Routing in Wireless Mesh Networks against Sybil
Attack by Dhivya.J - International Journal of Scientific &
Engineering Research, Volume 5, Issue 4, April-2014
Thank You
