wireless mesh networks ian f. akyildiz* & xudong wang** * georgia institute of technology bwn...

WIRELESS MESH NETWORKSWIRELESS MESH NETWORKS

Ian F. AKYILDIZ* & Xudong WANG**Ian F. AKYILDIZ* & Xudong WANG**

* Georgia Institute of Technology* Georgia Institute of TechnologyBWN (Broadband Wireless Networking) Lab BWN (Broadband Wireless Networking) Lab

** TeraNovi Technologies** TeraNovi Technologies

22

6. SECURITY6. SECURITY

33

Multi-hop Wireless Network Multi-hop Wireless Network SecuritySecurity

Wireless networks security for one-hop Wireless networks security for one-hop communicationscommunications is is

not sufficient for a multi-hop architecture (WMN).not sufficient for a multi-hop architecture (WMN).

Multi-hop security features:Multi-hop security features:

– Multi-tier securityMulti-tier security

– Multi-system securityMulti-system security

44

Multi-tier SecurityMulti-tier Security

Security in wireless access mesh clients Security in wireless access mesh clients towards mesh routers & wireless towards mesh routers & wireless connectivity among mesh routers.connectivity among mesh routers.– Mesh routers usually belong to a service providerMesh routers usually belong to a service provider– Mesh clients can be any usersMesh clients can be any users

Security issue different from that in any other wireless Security issue different from that in any other wireless networks (e.g., WLANs or MAN).networks (e.g., WLANs or MAN).

Security mechanism among mesh routers must be Security mechanism among mesh routers must be different from that in the wireless access part.different from that in the wireless access part.

55

Multi-system SecurityMulti-system Security

WMNs usually involve inter-operation of WMNs usually involve inter-operation of multiple multiple

wireless networks (e.g., IEEE 802.11, IEEE wireless networks (e.g., IEEE 802.11, IEEE 802.16, IEEE 802.15). 802.16, IEEE 802.15).

– Both security architecture and schemes are much different Both security architecture and schemes are much different from one from one

system to another system to another – All wireless networks should inter-work smoothlyAll wireless networks should inter-work smoothly

Need to develop a scheme so that:Need to develop a scheme so that: Internetwork communications can be provided seamlesslyInternetwork communications can be provided seamlessly Without compromising security in all networks.Without compromising security in all networks.

66

Security Attacks in WMNsSecurity Attacks in WMNs

Security attacks occur in:Security attacks occur in:– protocol layers ranging from physical layer to protocol layers ranging from physical layer to

transport layer.transport layer.– protocol planes including both data and protocol planes including both data and

management/control planes.management/control planes.

Attacks in lower protocol layers are more Attacks in lower protocol layers are more harmful (bottom up the protocol stack harmful (bottom up the protocol stack development).development).

77


Security of wireless networks can be Security of wireless networks can be classified into two types: classified into two types: – information securityinformation security– network securitynetwork security

Attacks in WMNs:Attacks in WMNs:– target at only target at only information securityinformation security– focus on the focus on the network securitynetwork security– It is also possible It is also possible bothboth

88


– Channel Jamming:Channel Jamming: Directly targets at the network security by simply attacking the Directly targets at the network security by simply attacking the

physical layerphysical layer Thus, it is the most brute-force attack. Thus, it is the most brute-force attack. A WMN can be easily brought down by this type of attacksA WMN can be easily brought down by this type of attacks Traffic jamming can easily be detected, and is also Traffic jamming can easily be detected, and is also

prohibited prohibited

by law if a licensed band is consideredby law if a licensed band is considered In a shared frequency band, e.g., ISM band, channel In a shared frequency band, e.g., ISM band, channel

jamming jamming

is rather common, simply because the same channel can be is rather common, simply because the same channel can be

selected by different WMNsselected by different WMNs

99


– Unauthorized AccessUnauthorized Access: :

Before a node starts to use wireless services, it has to Before a node starts to use wireless services, it has to

join the network (network association & join the network (network association & authentication). authentication). This normally occurs in the management plane of the MAC This normally occurs in the management plane of the MAC

protocol.protocol. If the authorization and authentication fail in this process, an If the authorization and authentication fail in this process, an

unauthorized node can access the network.unauthorized node can access the network. This type of attack does not impact the network security but This type of attack does not impact the network security but

information security.information security.

1010


– EavesdroppingEavesdropping: :

Common when information is not Common when information is not encrypted.encrypted.Can be avoided with enough encryption scheme.Can be avoided with enough encryption scheme.

1111


– Traffic AnalysisTraffic Analysis: :

This is the attack to information security, and This is the attack to information security, and

has no harm to the network security.has no harm to the network security. Usually done in lower layers (physical and MAC layers). Usually done in lower layers (physical and MAC layers). The information in a traffic flow cannot be accessed.The information in a traffic flow cannot be accessed. An attacker can retrieve meaningful information for his An attacker can retrieve meaningful information for his

benefits benefits

(traffic pattern analysis(traffic pattern analysis Hard to detect since it is passive and is not involved in the Hard to detect since it is passive and is not involved in the

network network

activities of WMNsactivities of WMNs

1212


– Message ForgeryMessage Forgery: :

To capture the security hole in a wireless To capture the security hole in a wireless network where message integrity is not ensured.network where message integrity is not ensured. Attackers can inject forged messages into the network to Attackers can inject forged messages into the network to

cause cause

malfunction of protocols in different layers.malfunction of protocols in different layers. It is a type of attack to network securityIt is a type of attack to network security Occurs at protocol layers such as MAC and routingOccurs at protocol layers such as MAC and routing

1313


– Message replayMessage replay: :

When message integrity is enforced, an When message integrity is enforced, an attacker attacker

can still threat the network by replay some can still threat the network by replay some

authorized messages.authorized messages. Can also occur in MAC and routing layersCan also occur in MAC and routing layers

1414


– Man-in-middleMan-in-middle: : An attacker can reside in between a mesh client An attacker can reside in between a mesh client

and a mesh router and try to intercept or and a mesh router and try to intercept or manipulate the communication between the manipulate the communication between the mesh client and mesh router.mesh client and mesh router. attack also happens between two mesh routersattack also happens between two mesh routers E.g. an attacker sets up a rogue mesh router to make other E.g. an attacker sets up a rogue mesh router to make other mesh routers or mesh clients to communicate with itmesh routers or mesh clients to communicate with it Critical attack:Critical attack: both network and information security can both network and information security can

be be compromised, and both mesh routers and mesh clients can compromised, and both mesh routers and mesh clients can

be be impactedimpacted

1515

Counter-Attack MeasuresCounter-Attack Measures

In wireless networks (incl. MAN and WMNs) three categories:In wireless networks (incl. MAN and WMNs) three categories:

1.1. Encryption and cryptographic protocolsEncryption and cryptographic protocols: : To ensure security, information flowing through the network is To ensure security, information flowing through the network is

encrypted.encrypted. The security key used in the encryption must be exchanged The security key used in the encryption must be exchanged

between senders and receivers (key management).between senders and receivers (key management). Cryptographic protocols (usually application or transport layer Cryptographic protocols (usually application or transport layer

protocols) can be designed based on the encrypted information protocols) can be designed based on the encrypted information to achieve to achieve • Confidentiality and perform authorizationConfidentiality and perform authorization• AuthenticationAuthentication• Message Integrity Check (MIC).Message Integrity Check (MIC).

1616


2. Secure Networking Protocols2. Secure Networking Protocols:: Protocols ranging from routing to physical layers should Protocols ranging from routing to physical layers should

have have

security counter-attack measuressecurity counter-attack measures In MAN secure routing protocol is the most widely researchedIn MAN secure routing protocol is the most widely researched

A few schemes are proposed for secure MAC protocolsA few schemes are proposed for secure MAC protocols Research efforts are needed:Research efforts are needed:

* Secure MAC protocols (more than secure routing)* Secure MAC protocols (more than secure routing)

* Advanced DSP and communication technologies (anti-jamming)* Advanced DSP and communication technologies (anti-jamming)

1717

3. Security Monitoring and Response Systems3. Security Monitoring and Response Systems: : Needed to detect security attacks, monitor service disruption, Needed to detect security attacks, monitor service disruption,

and respond quickly to attacks.and respond quickly to attacks.

Motivations:Motivations:

• To stop attacks before security is actually brokenTo stop attacks before security is actually broken

• A wireless network, especially multi-hop networks like A wireless network, especially multi-hop networks like

WMNs, are exposed to so many attacks that the line of WMNs, are exposed to so many attacks that the line of

defense still has a chance to be brokendefense still has a chance to be broken

certain actions should be taken to prevent attacks from certain actions should be taken to prevent attacks from

further threatening the security of the networkfurther threatening the security of the network


1818

Security of IEEE 802.11Wireless LANsSecurity of IEEE 802.11Wireless LANs

Wired Equivalent Privacy (WEP): Wired Equivalent Privacy (WEP): – The first security protocol defined in the 802.11 The first security protocol defined in the 802.11 standard.standard.– It contains several security flaws, but is still being It contains several security flaws, but is still being used widely, due to its simplicity.used widely, due to its simplicity.

802.11 task group had been working on a new 802.11 task group had been working on a new security solution until 2004 when the 802.11i security solution until 2004 when the 802.11i security standard was approved and released.security standard was approved and released.

1919

Security of IEEE 802.11Wireless LANsSecurity of IEEE 802.11Wireless LANs

Wi-Fi Protected Access (WPA):Wi-Fi Protected Access (WPA):– Developed during the standardization process of Developed during the standardization process of

802.11i (WiFi Alliance)802.11i (WiFi Alliance)– Based on a draft version of 802.11i.Based on a draft version of 802.11i.

After 802.11i standard was finally approved, After 802.11i standard was finally approved, WiFi WiFi

Alliance followed mandatory requirements of Alliance followed mandatory requirements of 802.11i and developed another security 802.11i and developed another security

specification, called WPA2.specification, called WPA2.

2020

Wired Equivalent Privacy Wired Equivalent Privacy (WEP)(WEP)

The security mechanism of WEP consists of:

– Confidentiality via RC4 based stream cipher– CRC based integrity check– Pre-shared key (PSK) based challenge response handshake for authentication

Given a key R, plaintext X of a packet is encrypted into Y as

Y = R ⊕ X (6.1)

2121


If two plaintexts X1 and X2 are encrypted into Y1 and Y2 using the same key K, then there is the following interesting result:

Y1 ⊕ Y2 = X1 ⊕ X2 (6.2)

This helps malicious users easily to decipher

received messages.

Necessary a unique key for each packet.

2222

Key generation function based on WEP key and an initialization vector (IV), i.e.: R = RC4(K, IV)

K is mostly static in WEP: the uniqueness of RC4 key totally depends on IV.

IV contains 24 bits, and thus an IV is repeated every 224 packets.

Packets with the same IV can also help malicious users decrypt received packetsWEP K needs to be changed dynamically or the number

of bits for IV needs to be longer


2323

Data integrity achieved by CRC check

Effective for detecting bit errors in packet, but not for authentication

An attacker can change the contents of a packet without lots of efforts (e.g., flip a bit in the encrypted data and then change CRC as well)better data integrity mechanism is needed


2424

Authentication between two nodes: challenge-Authentication between two nodes: challenge-response handshake schemeresponse handshake scheme

Basic 802.11 standard:Basic 802.11 standard:

Open system authentication (null authentication Open system authentication (null authentication algorithm):algorithm): authentication can always be accomplished authentication can always be accomplished

between the between the

two nodestwo nodes


2525

Shared key authenticationShared key authentication

a node (a node (requesterrequester) initiates the authentication ) initiates the authentication exchange to another node (exchange to another node (responderresponder) with a ) with a request sent using a shared key.request sent using a shared key.

If the responder authenticates requester: If the responder authenticates requester: challenge text sent back to the requester challenge text sent back to the requester (encrypted message):(encrypted message):


2626

WEP encryption procedure for challenge WEP encryption procedure for challenge text text

K and IV not sent to the requesterK and IV not sent to the requester After copying the challenge text, the requester sends the After copying the challenge text, the requester sends the

encrypted data back to the responder that decrypts the encrypted data back to the responder that decrypts the

message and compares it with the original one message and compares it with the original one

authentication success if matching and the authentication authentication success if matching and the authentication

status is sent back to the requesterstatus is sent back to the requester


2727

WEP authentication can easily be broken due WEP authentication can easily be broken due to weak protection of WEP key and CRC to weak protection of WEP key and CRC based integrity checkbased integrity check


2828

The basic 802.11 standard specifies The basic 802.11 standard specifies authentication and privacy for WLANs:authentication and privacy for WLANs:– Authenticated transmitting node:Authenticated transmitting node:

1.1. Gets a pktGets a pkt

2.2. CRC generation as an integrity check value (ICV)CRC generation as an integrity check value (ICV)

3.3. IV and RC4 key generation based on the IV and WEP IV and RC4 key generation based on the IV and WEP keykey

4.4. Encrypts pkt using RC4 key.Encrypts pkt using RC4 key.

5.5. Appends IV to the pktAppends IV to the pkt

6.6. Sends to pkt to a destination nodeSends to pkt to a destination node


2929

– Authenticated receiving node:Authenticated receiving node:

1.1. Receives the pktReceives the pkt

2.2. Gets the IV and derives the RC4 keyGets the IV and derives the RC4 key

3.3. Decrypts the pkt and checks for Decrypts the pkt and checks for integrityintegrity

4.4. If all fine If all fine succesfully received, succesfully received, otherwise otherwise

pkt declared as incorrectpkt declared as incorrect


3030

WEP security weaknesses:WEP security weaknesses:– static WEP key static WEP key

– high frequency of repeating the same IVhigh frequency of repeating the same IV

– CRC weak in integrity checkCRC weak in integrity check

– Too simple authenticationToo simple authentication

WiFi Protected Access WiFi Protected Access (WPA)(WPA)

3131

Wireless LAN security improvement Wireless LAN security improvement (Draft Version 3 802.11i) (Draft Version 3 802.11i) WPA WPA

– Improves encryption by considering two schemesImproves encryption by considering two schemes::

1.1. Larger IV Larger IV Key size is increased to 128 bits (48 bits for IV)Key size is increased to 128 bits (48 bits for IV)

2.2. Changing security keys through temporary key integrity protocol Changing security keys through temporary key integrity protocol

(TKIP) (TKIP)

changes working keys based on a master key after a certain changes working keys based on a master key after a certain

number of packets have been sent (+ a mechanism of per-number of packets have been sent (+ a mechanism of per-packet packet

key mixing)key mixing)


3232

Authentication in WPA can be done either:Via 802.1X (IEEE 802.12004) authentication

e.g. in enterprise networking

Through a pre-shared key (for scenarios where 802.1X is too expensive)

e.g. in a home networking scenario


3333

802.1X is a port-based network access control protocol

Suitable for any LAN and provides authentication to devices attached to a LAN port

– Consists of three key components Authentication server (a Remote Authentication Dial-In

User

Service (RADIUS) server) Authenticator (AP in a wireless LAN) Supplicant (client)


3434

802.1X works according to the following 802.1X works according to the following procedures:procedures:

Once detecting a supplicantOnce detecting a supplicant

Authenticator port will be Authenticator port will be enabledenabled ( ( but in “ but in “unauthorizedunauthorized” ” state, as only 802.1X authentication related traffic is state, as only 802.1X authentication related traffic is allowedallowed))

Authenticator sends Authenticator sends Extensible Authentication Protocol Extensible Authentication Protocol (EAP)(EAP)

request entity to the supplicant.request entity to the supplicant.


3535

Supplicant sends an Supplicant sends an EAP response EAP response to the to the authenticator.authenticator.

Authenticator forwards the Authenticator forwards the received EAP received EAP response response to to

the authentication server.the authentication server.


3636

Authentication server can Authentication server can rejectreject or or acceptaccept the EAP the EAP request considering the EAP response. request considering the EAP response.

accept: accept: authenticator enables the port so that all authenticator enables the port so that all traffic is allowed on the given port, i.e., the port is traffic is allowed on the given port, i.e., the port is now working in “now working in “authorizedauthorized” state.” state.

If supplicant leaves the system, an If supplicant leaves the system, an EAP log-off EAP log-off

message message will be sent to the authenticator.will be sent to the authenticator.

The port then enters the “The port then enters the “unauthorizedunauthorized” state.” state.


3737

Extensible Authentication Protocol (EAP):Extensible Authentication Protocol (EAP):

– An authenticator can be negotiated via EAP.An authenticator can be negotiated via EAP.

– EAP is an authentication framework (not a EAP is an authentication framework (not a specific authentication mechanism). specific authentication mechanism).

– Provides common functions and a negotiation of a Provides common functions and a negotiation of a desired authentication mechanism. desired authentication mechanism.

WiFi Protected Access (WPA)WiFi Protected Access (WPA)

3838

– Different authentication mechanisms can be Different authentication mechanisms can be defineddefined

– Typical EAP based authentication mechanisms Typical EAP based authentication mechanisms include:include:

* EAP-transport layer security (EAP-TLS) for wireless * EAP-transport layer security (EAP-TLS) for wireless

LAN authentication, LAN authentication,

* EAP-MD5* EAP-MD5

* EAP-PSK, and * EAP-PSK, and

* EAP-TTLS.* EAP-TTLS.


3939

- EAP is not a specific protocol - EAP is not a specific protocol (only defines (only defines message formats)message formats)

an EAP-based authentication protocol needs to an EAP-based authentication protocol needs to encapsulateencapsulate

EAP messages. EAP messages.

In 802.1X, this encapsulation is In 802.1X, this encapsulation is EAP Over LANs EAP Over LANs (EAPOL).(EAPOL).

– In WPA (whether PMK is after 802.1X In WPA (whether PMK is after 802.1X authentication or from PSK), a 4-way authentication or from PSK), a 4-way handshake is needed (secure key management handshake is needed (secure key management and distribution). and distribution).


4040

The 4-way handshake is responsible for:The 4-way handshake is responsible for:

Confirming the existence of PMK, liveness of Confirming the existence of PMK, liveness of peers, and selection of cipher suite.peers, and selection of cipher suite.

It also generates fresh pairwise transient key It also generates fresh pairwise transient key (PTK) for each session and group transient (PTK) for each session and group transient key (GTK) for multicast applications.key (GTK) for multicast applications.


4141

EAPOL-Key frames are used during 4-way EAPOL-Key frames are used during 4-way handshake as shown in the following handshake as shown in the following procedure:procedure:

Message 1:Message 1: An authenticator sends a An authenticator sends a cryptographic nonce cryptographic nonce ((ANonceANonce)) to a to a supplicant.supplicant.

Message 2:Message 2: When a supplicant receives When a supplicant receives message 1message 1, it creates , it creates SNonceSNonce..


4242

Supplicant calculates PTK based on parameters such as Supplicant calculates PTK based on parameters such as ANonceANonce,, SNonceSNonce,, authenticator’s MAC address, and authenticator’s MAC address, and supplicant’s MAC address.supplicant’s MAC address.

In In message 2message 2, the supplicant sends , the supplicant sends SNonceSNonce and and securitysecurity parameters parameters used during association to the used during association to the authenticator.authenticator.

Authentication check for Authentication check for message 2 message 2 is done using the is done using the

key confirmation key (KCK) key confirmation key (KCK) derived in pairwise key derived in pairwise key hierarchy.hierarchy.


4343

Message 3: Message 3: When the authenticator gets message When the authenticator gets message 2, it verifies the validity of this message:2, it verifies the validity of this message: If it is valid, the authenticator sends If it is valid, the authenticator sends securitysecurity

parameters parameters used in beacons and probe responses used in beacons and probe responses in in message 3message 3..

It also sends a GTK encrypted using It also sends a GTK encrypted using key key encryption key (KEK)encryption key (KEK) derived from pairwise key derived from pairwise key hierarchy. hierarchy.

Message 3 Message 3 needs an authentication check.needs an authentication check.


4444

Message 4: Message 4: When the supplicant gets When the supplicant gets message 3message 3, , it performs authentication check:it performs authentication check:

If it is valid, it sends If it is valid, it sends message 4 message 4 to inform the to inform the authenticator that all temporary keys are ready authenticator that all temporary keys are ready for use.for use.


4545

Two key hierarchies are involved in the 4-way Two key hierarchies are involved in the 4-way handshake: handshake: pairwise key hierarchypairwise key hierarchy and and group group key hierarchykey hierarchy..

In In the pairwise key hierarchy, the pairwise key hierarchy, temporary keys temporary keys are derived from a PMK.are derived from a PMK.– If 802.1X is used, PMK is provided by the If 802.1X is used, PMK is provided by the

authentication server.authentication server.– If a pre-shared key is used, PMK is derived from If a pre-shared key is used, PMK is derived from

the password.the password.


4646

– Starting from PMK, three keys (PTK) are Starting from PMK, three keys (PTK) are generated in the pairwise key hierarchy: generated in the pairwise key hierarchy: KCK, KCK, KEK, and pairwise temporary key. KEK, and pairwise temporary key.

– In the group key hierarchy, a In the group key hierarchy, a GTK GTK is created using is created using parameters such as group master key parameters such as group master key (GMK),(GMK), group nonce group nonce ((GnounceGnounce)) and authenticator’s MAC and authenticator’s MAC address.address.


4747

In the overall procedure of WPA three security suites are In the overall procedure of WPA three security suites are used:used:

1.1. The authentication and key management suiteThe authentication and key management suite advertises advertises

if 802.1X or pre-shared key is used; if 802.1X or pre-shared key is used;

2. Group cipher suite2. Group cipher suite defines the data confidentiality defines the data confidentiality protocol for broadcast communications; protocol for broadcast communications;

3. Pairwise cipher suite3. Pairwise cipher suite contains a list of data contains a list of data confidentiality protocols for unicast traffic.confidentiality protocols for unicast traffic.


4848

WPA significantly increases security of WPA significantly increases security of wireless LANs but it can still be broken by wireless LANs but it can still be broken by related-key attacks.related-key attacks.

Wi-Fi Alliance specified a new version of Wi-Fi Alliance specified a new version of WPA, WPA, called WPA2.called WPA2.

WiFi Protected Access 2 (WPA WiFi Protected Access 2 (WPA 2)2)

4949

WPA2 replaces the WPA encryption scheme by WPA2 replaces the WPA encryption scheme by an advanced encryption standard (AES) called an advanced encryption standard (AES) called counter mode with Cipher block counter mode with Cipher block Chaining Message Chaining Message Authentication Code Protocol (CCMP)Authentication Code Protocol (CCMP)..

– CCMP handles authentication, confidentiality, and integrity.CCMP handles authentication, confidentiality, and integrity.

– For authentication and integrity, CCMP uses For authentication and integrity, CCMP uses cipher cipher block key chaining message authentication code block key chaining message authentication code (CBC-MAC).(CBC-MAC).

– AES in counter mode (CTR)AES in counter mode (CTR) is used for confidentiality.is used for confidentiality.


5050

CCMP block size and key size: 128 CCMP block size and key size: 128 bits.bits.

Encapsulation procedure: an Encapsulation procedure: an encrypted MAC Packetencrypted MAC Packet Data Unit Data Unit (MPDU)(MPDU) is formed by concatenating is formed by concatenating MAC headerMAC header, , encrypted dataencrypted data, , MICMIC, , and and CCMPCCMP headerheader..


5151

– Encrypted data Encrypted data and and MICMIC are performed are performed through CCM encryption/MIC calculation. through CCM encryption/MIC calculation.

– Inputs to this step include plain text, Inputs to this step include plain text, constructed nonce, constructed additional constructed nonce, constructed additional authentication data (AAD), and temporary authentication data (AAD), and temporary key (TK). key (TK).


5252

– AAD protects replaying attacker to the MAC header AAD protects replaying attacker to the MAC header that is not encrypted.that is not encrypted.

– The The noncenonce is constructed from packet number is constructed from packet number (PN), source MAC address, and priority 1 fields.(PN), source MAC address, and priority 1 fields.

– The The CCMP header CCMP header is constructed from PN and key is constructed from PN and key ID.ID.


5353


5454


5555

WPA2 keeps WPA2 keeps 802.1X802.1X plus plus 4-way handshake 4-way handshake in in the authentication mechanism.the authentication mechanism.

A A totally different ciphering schemetotally different ciphering scheme is used is used in WPA2 in WPA2 it is not compatible with old it is not compatible with old Wireless LAN cardsWireless LAN cards


5656

A A superset of all 802.11 wireless LAN security superset of all 802.11 wireless LAN security mechanisms including mechanisms including WEPWEP, , WPAWPA, and , and WPA2WPA2..

Two classes of security algorithms are Two classes of security algorithms are specified in 802.11i security framework:specified in 802.11i security framework:

802.11i802.11i

5757

1.1. First class defines algorithms for creating and First class defines algorithms for creating and using a using a

robust robust security network association (RSNA)security network association (RSNA), , i.e., RSNA algorithms. i.e., RSNA algorithms. Comprise the following components:Comprise the following components:

TKIPTKIP CCMPCCMP RSNA establishment and termination RSNA establishment and termination

procedures, procedures, including the use of 802.1X authenticationincluding the use of 802.1X authentication Key management proceduresKey management procedures

802.11i802.11i

5858

2. Second class defines 2. Second class defines pre-RSNA algorithms:pre-RSNA algorithms:

Pre-RSNA security mechanisms include WEP and IEEE Pre-RSNA security mechanisms include WEP and IEEE

802.11 entity authentication802.11 entity authenticationA pre-RSNA equipment is not capable of creating or A pre-RSNA equipment is not capable of creating or

supporting RSNA supporting RSNA

(According to 802.11i standard, all pre-RSNA security methods except for (According to 802.11i standard, all pre-RSNA security methods except for

open system authentication have been deprecated; implementation of open system authentication have been deprecated; implementation of pre-RSNA pre-RSNA

is only for migration to RSNA security methods).is only for migration to RSNA security methods).

802.11i802.11i

5959

RSN information element of certain frames (e.g., RSN information element of certain frames (e.g., beaconbeacon, ,

probe responseprobe response, , association/reassociation requestassociation/reassociation request, , message 2/3 of 4-way handshakemessage 2/3 of 4-way handshake) indicate ) indicate capability capability

of of creating a RSNA.creating a RSNA.

In RSNA, two data confidentiality and integrity In RSNA, two data confidentiality and integrity protocols are specified: protocols are specified: TKIPTKIP and and CCMPCCMP. .

A device A device – RSNA compliant: required to support CCMP, but TKIP support is optional.RSNA compliant: required to support CCMP, but TKIP support is optional.– supporting only WEP: upgradeable to TKIP but not to CCMP.supporting only WEP: upgradeable to TKIP but not to CCMP.

802.11i802.11i

6060

RSNA authentication can rely on RSNA authentication can rely on 802.1X Port 802.1X Port Access Entity (PAE) Access Entity (PAE) and and Authentication Server Authentication Server (not defined in 802.11i) or be simply based on (not defined in 802.11i) or be simply based on PSK.PSK.

Key management procedure involves a Key management procedure involves a 4-way 4-way handshake process.handshake process.

802.11i802.11i

6161

When When 802.1X authentication802.1X authentication is used, the is used, the specific EAP method used performs specific EAP method used performs mutual authenticationmutual authentication..

critical that this EAP method can critical that this EAP method can protect nodes without being exposed to protect nodes without being exposed to man-in-the-middle attacksman-in-the-middle attacks– many existing EAP schemes (e.g., many existing EAP schemes (e.g., EAP-EAP-MD5) do not meet this requirementMD5) do not meet this requirement

802.11i802.11i

6262

When When PSKPSK is used is used mutual authentication between mutual authentication between

any two nodes without being exposed to man-in-any two nodes without being exposed to man-in-

the-middle the-middle attacks is also a requirementattacks is also a requirement

Security sublayer at the bottom of the MAC layer.Security sublayer at the bottom of the MAC layer.

Its focus is on the Its focus is on the access control access control and and confidentialityconfidentiality of of

the data link.the data link.

802.11i802.11i

6363

Security of IEEE 802.16 Wireless MANsSecurity of IEEE 802.16 Wireless MANs

The 802.16 security architecture consists of five The 802.16 security architecture consists of five components:components:

1.1. Encryption:Encryption:

Performed only for data payloads (CRC and the generic Performed only for data payloads (CRC and the generic MAC header are not encrypted). MAC header are not encrypted).

The encryption algorithm used in IEEE 802.16 is Data The encryption algorithm used in IEEE 802.16 is Data

Encryption Standard’s Cipher Block Chaining mode Encryption Standard’s Cipher Block Chaining mode (DES-CBC).(DES-CBC).

6464

Security of IEEE 802.16Wireless MANsSecurity of IEEE 802.16Wireless MANs

2. X.509 certificate profile:2. X.509 certificate profile:

Certificates identify communication parties. Certificates identify communication parties.

Two certificate types are defined in IEEE 802.16: Two certificate types are defined in IEEE 802.16:

manufacturer certificatesmanufacturer certificates and and subscriber station subscriber station certificatescertificates..

No base station certificates are defined No base station certificates are defined a base station a base station

uses the public key in the manufacturer certificate to uses the public key in the manufacturer certificate to verify verify

the subscriber station certificatesthe subscriber station certificates

6565

3.3.Security Associations:Security Associations: Required to maintain a security state of a connection.Required to maintain a security state of a connection.

There are two security associations in IEEE 802.16: There are two security associations in IEEE 802.16: data security data security association association and and authorization security associationauthorization security association..

Data security association Data security association protects transport connections protects transport connections between one or more subscriber stations and a base station.between one or more subscriber stations and a base station.

Authorization security association Authorization security association is shared between a base is shared between a base station and a subscriber station.station and a subscriber station.

Moreover, a base station uses the authorization security Moreover, a base station uses the authorization security association to configure data security association on a subscriber association to configure data security association on a subscriber station.station.


6666

4.4. Privacy and key management (PKM):Privacy and key management (PKM): establishes a data security association between a base establishes a data security association between a base

station and a subscriber station.station and a subscriber station.

Several message exchanges needed between a base station Several message exchanges needed between a base station

and a subscriber station and a subscriber station (e.g., (e.g., when a new key or a new data when a new key or a new data

security association is needed, a base station must send a PKM security association is needed, a base station must send a PKM

message to the desired subscriber station).message to the desired subscriber station).


6767

5. PKM Authorization:5. PKM Authorization:

Aims to distribute an authorization token to Aims to distribute an authorization token to an an

authorized subscriber station. authorized subscriber station.

Several message exchanges also needed between Several message exchanges also needed between the the

base station and the authorized subscriber station.base station and the authorized subscriber station.


6868

However, all these components contain However, all these components contain security flaws:security flaws:

– In In authorization security association,authorization security association, IEEE IEEE 802.16 lacks a definition as it is done for data 802.16 lacks a definition as it is done for data association association authorization security authorization security association can easily be broken.association can easily be broken.

– In IEEE 802.16, the BS lacks a In IEEE 802.16, the BS lacks a certificatecertificate. Thus, . Thus, the security client can be compromised by the security client can be compromised by forgery or replay attacks.forgery or replay attacks.


6969

– Since authorization security association is weak, Since authorization security association is weak, PKM authorization protocolPKM authorization protocol cannot really serve the cannot really serve the purpose of authorization, which also impacts the purpose of authorization, which also impacts the PKM.PKM.

– The 802.16 standard also fails to specify that the The 802.16 standard also fails to specify that the traffic encryption key (TEK)traffic encryption key (TEK) is generated according is generated according to uniform probability distribution and to uniform probability distribution and cryptographic-quality random number.cryptographic-quality random number.

– Data encryption standard (DES)Data encryption standard (DES) used in IEEE 802.16 used in IEEE 802.16 does not provide strong data confidentiality.does not provide strong data confidentiality.


7070

Security of Mobile Ad Hoc Security of Mobile Ad Hoc NetworksNetworks

MANETs lack efficient and scalable security solutions MANETs lack efficient and scalable security solutions because their security is easier to be compromised because their security is easier to be compromised

- - vulnerability of channels and nodes in the shared wireless vulnerability of channels and nodes in the shared wireless mediummedium– absence of infrastructureabsence of infrastructure– dynamic change of network topologydynamic change of network topology

Attacks may Attacks may advertise routing updatesadvertise routing updates

Another type of attacks isAnother type of attacks is packet forwarding,packet forwarding,– the attacker may not change routing tables, but the the attacker may not change routing tables, but the

packets on the routing path may lead to a different packets on the routing path may lead to a different destination that is not consistent with the routing destination that is not consistent with the routing protocol.protocol.

7171


Moreover, the attacker may sneak into the network, Moreover, the attacker may sneak into the network, and and impersonate a legitimate nodeimpersonate a legitimate node that does not that does not follow the required specifications of a routing follow the required specifications of a routing protocol protocol

Some malicious nodes may create Some malicious nodes may create wormhole and wormhole and shortcutshortcut the normal flowsthe normal flows among legitimate nodesamong legitimate nodes

Same types of attacks as in routing protocols may Same types of attacks as in routing protocols may also occur in also occur in MAC protocols.MAC protocols.– E.g., the backoff procedures and NAV for virtual carrier sense of IEEE E.g., the backoff procedures and NAV for virtual carrier sense of IEEE

802.11 MAC may be misused by some attacking nodes, which cause the 802.11 MAC may be misused by some attacking nodes, which cause the network to be always congested by these malicious nodesnetwork to be always congested by these malicious nodes

7272

Attacks in MANET Attacks in MANET two types of two types of routing layer security mechanism: routing layer security mechanism:

secure routing protocol secure routing protocol and and secure secure data forwardingdata forwarding. .


7373

Secure RoutingSecure Routing: :

Authentication techniques to critical fields of Authentication techniques to critical fields of routing messagesrouting messages– Authentication message codesAuthentication message codes

based on based on secret keys among a pair of nodessecret keys among a pair of nodes, , and and

thus, are not an appealing option for broadcast thus, are not an appealing option for broadcast

messagesmessages difficult to establish pairwise secret keys in ad difficult to establish pairwise secret keys in ad

hoc networkshoc networks


7474

– One-way key chainOne-way key chain one-way function is used to one-way function is used to repeatedly repeatedly

generate keys for authentication generate keys for authentication messages messages

codescodes can be used for broadcast messages can be used for broadcast messages requires time synchronization and a requires time synchronization and a careful careful

schedule of using unreleased keysschedule of using unreleased keys


7575

– Digital signatureDigital signature based on based on public-key cryptographypublic-key cryptography public keys are distributed and messages signed by a public keys are distributed and messages signed by a

sender sender

via secret keys can be deciphered and verifiedvia secret keys can be deciphered and verified scalable technique for a large network (even with scalable technique for a large network (even with

broadcast broadcast

messages)messages) distribution of public keys need trustworthy mechanism distribution of public keys need trustworthy mechanism

among nodes (research challenge)among nodes (research challenge)


7676

Next key step: Next key step: security of data security of data forwardingforwarding

– DetectionDetection of security attacks of security attacksWatchdog or ACK based.Watchdog or ACK based.

– ResponseResponse to security attacks (to protect to security attacks (to protect other network parts)other network parts)network wide and end-host reaction, the network wide and end-host reaction, the combined scheme is more effectivecombined scheme is more effective


7777

Security attacks also frequently occur in the Security attacks also frequently occur in the link layer of ad hoc networkslink layer of ad hoc networks– security mechanisms of IEEE 802.11, IEEE 802.15, security mechanisms of IEEE 802.11, IEEE 802.15,

and IEEE 802.16 can be applied to MANET but no and IEEE 802.16 can be applied to MANET but no satisfactory results expected (multi-hop and satisfactory results expected (multi-hop and dynamic network topology)dynamic network topology)

Link-layer security mechanisms for mobile Link-layer security mechanisms for mobile ad hoc networks is still subject to future ad hoc networks is still subject to future researchresearch


7878

Attackers may sneak into the network by Attackers may sneak into the network by misusing the misusing the cryptographic primitives cryptographic primitives

Cryptographic protocol:Cryptographic protocol:– Exchange of information among users occurs Exchange of information among users occurs frequentlyfrequently– Fair exchange protocol dependent on a Fair exchange protocol dependent on a

trusted trusted third party (not available in MANET)third party (not available in MANET)


7979

Another exchange scheme, called Another exchange scheme, called rational exchangerational exchange, , must be usedmust be used

– Ensures that a misbehaving party cannot gain Ensures that a misbehaving party cannot gain anything from misbehavior, and thus will not have anything from misbehavior, and thus will not have any incentives to misbehaveany incentives to misbehave

– Rational exchange Key management is one of the Rational exchange Key management is one of the most important tasks for network security most important tasks for network security (difficult for MANET for lack of trusted third party (difficult for MANET for lack of trusted third party or server)or server)


8080

performed in a distributed way for MANETsperformed in a distributed way for MANETsself-organization scheme to distribute and manage self-organization scheme to distribute and manage the security keys the security keys Certificates are stored and distributed by users Certificates are stored and distributed by users themselvesthemselves

When the public keys of two users need to be When the public keys of two users need to be verified, they first merge the local certificate verified, they first merge the local certificate repositories and then find the appropriate repositories and then find the appropriate certificate chains within the merged repositories certificate chains within the merged repositories that can pass this verificationthat can pass this verification


8181

Security Mechanisms for WMNs:Security Mechanisms for WMNs:Features and Challenges of A Secure WMNFeatures and Challenges of A Secure WMN

The security schemes in other wireless The security schemes in other wireless networks are helpful to develop networks are helpful to develop

security security schemes for WMNsschemes for WMNs

– specific features of WMNs require specific features of WMNs require enhancement to these schemes enhancement to these schemes and and also demand also demand new schemesnew schemes

8282


Mesh architecture in WMNs Vs traditional Ethernet Mesh architecture in WMNs Vs traditional Ethernet connection between APs or base stations (IEEE connection between APs or base stations (IEEE

802.11 802.11 wireless LANs or IEEE 802.16 wireless MANs)wireless LANs or IEEE 802.16 wireless MANs)

two specific requirements on the security of two specific requirements on the security of WMNs:WMNs:

1.1. multi-hop wireless network securitymulti-hop wireless network security

2.2. multi-tier securitymulti-tier security

8383


IEEE 802.11 wireless LANs and IEEE 802.16 IEEE 802.11 wireless LANs and IEEE 802.16 wireless MANs security schemes wireless MANs security schemes – only for communications between only for communications between mesh routers mesh routers

and mesh clientsand mesh clients

Communications Communications among mesh routersamong mesh routers and and the the end-to-end end-to-end communications from one communications from one mesh client to another mesh client exhibit mesh client to another mesh client exhibit – different security issues from those in the different security issues from those in the

traditional one-hop wirelesstraditional one-hop wireless

8484


Access scenario (IEEE 802.11 wireless LANs Access scenario (IEEE 802.11 wireless LANs or IEEE 802.16 wireless MANs)or IEEE 802.16 wireless MANs)

new security schemes must be developed new security schemes must be developed for mesh networking among mesh routers for mesh networking among mesh routers and mesh clients.and mesh clients.

The security schemes for network access The security schemes for network access from mesh clients to afrom mesh clients to a mesh routermesh router need to need to be improvedbe improved

8585

WMNs encounter both challenges WMNs encounter both challenges and opportunities (compared to and opportunities (compared to MANETs)MANETs)

WMNs have several advantages WMNs have several advantages over MANETover MANET– e.g., with minimal mobility of the mesh e.g., with minimal mobility of the mesh

backbone backbone helps to realize security in a multi- helps to realize security in a multi-hop wireless network with reasonable efforts.hop wireless network with reasonable efforts.

Security Mechanisms for WMNs:Security Mechanisms for WMNs:Features and Challenges of a Secure WMNFeatures and Challenges of a Secure WMN

8686

In MANET, due to mobility in all nodes, In MANET, due to mobility in all nodes, security is hard to be ensured for two security is hard to be ensured for two reasons:reasons:

1.1. Implementation of a security algorithm is sophisticated Implementation of a security algorithm is sophisticated

(all-mobile network).(all-mobile network).

2. A security algorithm can be easily broken 2. A security algorithm can be easily broken (no (no trustworthy node).trustworthy node).


8787

A security scheme proposed for MANET should A security scheme proposed for MANET should be able to meet the needs of WMNs. be able to meet the needs of WMNs.

However, two other problems exist:However, two other problems exist:1.1. A security scheme developed for MANET is usually A security scheme developed for MANET is usually

too cumbersome for WMNs (much more too cumbersome for WMNs (much more complicated mobility and related topology changes)complicated mobility and related topology changes)

2.2. Mesh routers in the mesh backbone need to Mesh routers in the mesh backbone need to communicate with other mesh routers and also communicate with other mesh routers and also provide wireless services to mesh clients: routers provide wireless services to mesh clients: routers dual functionality makes the security schemes for dual functionality makes the security schemes for of MANET insufficient for WMNsof MANET insufficient for WMNs

WMNs security schemes improvement is requiredWMNs security schemes improvement is required


8888

The security mechanism in IEEE 802.11 mesh mode is still in the The security mechanism in IEEE 802.11 mesh mode is still in the process of being developed and specified (IEEE 802.11s 2010 process of being developed and specified (IEEE 802.11s 2010 draft)draft)

IEEE 802.16 mesh mode has been specified (IEEE 802.16 2004),IEEE 802.16 mesh mode has been specified (IEEE 802.16 2004),– but the but the security mechanism only considers the scenario of fixed security mechanism only considers the scenario of fixed

wireless access. wireless access.

The security mechanism of IEEE 802.16 mesh mode is still mainly The security mechanism of IEEE 802.16 mesh mode is still mainly built built on top of the security layer of a PMP mode IEEE 802.16.on top of the security layer of a PMP mode IEEE 802.16.

The security issues The security issues when mobile nodes are also supported by when mobile nodes are also supported by meshmesh routersrouters have not been considered. have not been considered.


8989

Security of IEEE 802.11s Security of IEEE 802.11s WMNWMN

Existing WMNs still depend on security Existing WMNs still depend on security schemes developed for other wireless schemes developed for other wireless networks.networks.– E.g., currently many IEEE 802.11 based WMNs only E.g., currently many IEEE 802.11 based WMNs only

adopt WEP as their security mechanism.adopt WEP as their security mechanism.– Some of them have been equipped with WPA or are Some of them have been equipped with WPA or are

trying to implement IEEE 802.11i security schemes.trying to implement IEEE 802.11i security schemes.

None of them have implemented a security None of them have implemented a security mechanism that is really effective to WMNs.mechanism that is really effective to WMNs.

9090

Security of IEEE 802.11s Security of IEEE 802.11s WMNWMN

IEEE 802.11s task group has worked out a IEEE 802.11s task group has worked out a security framework for 802.11s WMNssecurity framework for 802.11s WMNs, but is , but is still still subject to revision and approval.subject to revision and approval.

We will present and analyze the latest work We will present and analyze the latest work of 802.11s security.of 802.11s security.

9191

Security Framework of 802.11s WMNSecurity Framework of 802.11s WMN

The 802.11s WMN security requires the The 802.11s WMN security requires the RSNA RSNA functionality to be supported.functionality to be supported. pre-RSNA schemes such as WEP cannot be used.pre-RSNA schemes such as WEP cannot be used.

The RSNA in 802.11s WMN: Mesh Security The RSNA in 802.11s WMN: Mesh Security Association (MSA). Association (MSA). – the security functionalities similar to 802.1X are the security functionalities similar to 802.1X are

built into a distribute multihop WMNbuilt into a distribute multihop WMN

9292


There are two types of security key holders:There are two types of security key holders:1.1. mesh key distributor (MKD) mesh key distributor (MKD) 2.2. mesh authenticator (MA). mesh authenticator (MA).

An MP can be MKD and MA, MA, or neither. An MP can be MKD and MA, MA, or neither. – An An MP with MA functionalityMP with MA functionality plays the 802.1X plays the 802.1X

authenticatorauthenticator’s role ’s role – An An MP without MA functionalityMP without MA functionality plays the 802.1X plays the 802.1X

supplicantsupplicant’s role.’s role.– A A MKDMKD and and MA MA can be co-located with MA, and can be co-located with MA, and

manages manages authentication and key distributionauthentication and key distribution for for both MA and a supplicant.both MA and a supplicant.

9393

Security Framework of 802.11s Security Framework of 802.11s WMNWMN

In an 802.11s WMN, there exists one In an 802.11s WMN, there exists one MKD, multiple MAs, and supplicants.MKD, multiple MAs, and supplicants.

– A supplicant can become an MA after it A supplicant can become an MA after it passes security key holder association with passes security key holder association with the MKD.the MKD.

9494


REMARK:REMARK:

802.1X in MSA does not mean that 802.11s security 802.1X in MSA does not mean that 802.11s security needs an extra 802.1X authentication server (AS) in needs an extra 802.1X authentication server (AS) in the system.the system.– MSA can operate based on preshared key (PSK).MSA can operate based on preshared key (PSK).– In the case of using an extra 802.1X AS to enhance 802.11s In the case of using an extra 802.1X AS to enhance 802.11s

WMN security, an MKD works as network access server WMN security, an MKD works as network access server (NAS) client.(NAS) client.

NAS client functionality is required for an MKD in 802.11s NAS client functionality is required for an MKD in 802.11s WMNWMN: the entire security system consists of two 802.1X : the entire security system consists of two 802.1X processes organized hierarchically processes organized hierarchically (802.1X AS and MKD at (802.1X AS and MKD at the upper levelthe upper level and MKD and MA at the lower level).and MKD and MA at the lower level).

9595

Whether using PSK or master session Whether using PSK or master session key (MSK) (after AS - MKD key (MSK) (after AS - MKD authentication)authentication) a a security key hierarchy security key hierarchy is established (if is established (if MP passed the initial security authentication MP passed the initial security authentication through an authenticator MP and the MKD of through an authenticator MP and the MKD of the mesh network). the mesh network).


9696

MP’s secure link setup with other MPs can be done MP’s secure link setup with other MPs can be done directly based on this key hierarchydirectly based on this key hierarchysteps of authentication and key establishment can be steps of authentication and key establishment can be

omitted.omitted.

The key hierarchy consists of two branches:The key hierarchy consists of two branches:

1.1. link security branchlink security branch (for generating keys for a secure link (for generating keys for a secure link ) )

2.2. key distribution branchkey distribution branch (for generating keys for key (for generating keys for key distribution). distribution).


9797

1. On the 1. On the link security branchlink security branch– pairwise master key (PMK) is first derived for MKD based on a pre-shared pairwise master key (PMK) is first derived for MKD based on a pre-shared

key (PSK) or a master session key (MSK).key (PSK) or a master session key (MSK).

– PSK is used when 802.1X authentication is not applied; otherwise, an MSK PSK is used when 802.1X authentication is not applied; otherwise, an MSK is provided through a successful authentication between the authentication is provided through a successful authentication between the authentication server (AS) and the supplicant MP.server (AS) and the supplicant MP.

– Based on PMK-MKD, PMK for MAs, i.e., PMK-MAs, are then derived.Based on PMK-MKD, PMK for MAs, i.e., PMK-MAs, are then derived.

– Key deliver and key management between the MKD and the MA are handled Key deliver and key management between the MKD and the MA are handled by mesh key transport and extensible authentication protocol (EAP) by mesh key transport and extensible authentication protocol (EAP) message transport protocol.message transport protocol.

– With a PMK-MA, an authenticator MP and its supplicant MP mutually derive With a PMK-MA, an authenticator MP and its supplicant MP mutually derive a pairwise transient key (PTK). a pairwise transient key (PTK).


9898

2. On the 2. On the key distribution branchkey distribution branch– a mesh key distribution key (MKDK) is first a mesh key distribution key (MKDK) is first

derived from PSK or MSKderived from PSK or MSK

– a mesh PTK for key distribution (MPTK-KD) is a mesh PTK for key distribution (MPTK-KD) is derived mutually by an authenticator MP (after it derived mutually by an authenticator MP (after it becomes an MA) and the MKD.becomes an MA) and the MKD.


9999


100100

In an 802.11s WMN, the support of MSA In an 802.11s WMN, the support of MSA is advertised by MPs in is advertised by MPs in Mesh Security Mesh Security Capability Information Element (MSCIE)Capability Information Element (MSCIE) of beacon or probe response frames.of beacon or probe response frames.


101101

* MSCIE contains the mesh security * MSCIE contains the mesh security capability field (element ID and length capability field (element ID and length field) and: field) and:

1.1.MKD domain ID (MKDD-ID)MKD domain ID (MKDD-ID)It is set to zero unless the MP implements It is set to zero unless the MP implements

the the

MKD function or it has received the MKDD-ID MKD function or it has received the MKDD-ID

from an MKD during the mesh key holder from an MKD during the mesh key holder

security handshakesecurity handshake


102102

2.2. Mesh security configuration Mesh security configuration

Consists of three subfields and oneConsists of three subfields and one

reserved fieldreserved field Mesh authenticator bitMesh authenticator bit: : • If this bit is set to one, then the MP is configured If this bit is set to one, then the MP is configured

to play IEEE 802.1X authenticator role during to play IEEE 802.1X authenticator role during MSA handshake. MSA handshake.

• Otherwise, it works as an 802.1X supplicant.Otherwise, it works as an 802.1X supplicant.


103103

Connected to MKD bitConnected to MKD bit::• If an MP has completed a security association with the If an MP has completed a security association with the

MKD and has a valid path to the MKD, then this bit is set MKD and has a valid path to the MKD, then this bit is set to oneto one

• Otherwise, it is set to zero.Otherwise, it is set to zero.

• If a mesh authenticator bit is set to zero, this bit should If a mesh authenticator bit is set to zero, this bit should be set to zero.be set to zero.

• For For an MP with both MKD and MA functionalities, if the mesh an MP with both MKD and MA functionalities, if the mesh authenticator bit is set to one, then this bit should be one too.authenticator bit is set to one, then this bit should be one too.


104104

Default role negotiation bitDefault role negotiation bit::• If this bit is set to one, a default mesh role If this bit is set to one, a default mesh role determination scheme is useddetermination scheme is used• Otherwise, a proprietary scheme is applied.Otherwise, a proprietary scheme is applied.• When the MKDD-ID field is zero, both mesh When the MKDD-ID field is zero, both mesh authenticator bit and connected to MKD bit authenticator bit and connected to MKD bit need to be zeroneed to be zero..

- MSCIE is also used in mesh key holder security handshake - MSCIE is also used in mesh key holder security handshake frames.frames.


105105


106106

An MP that wants to authenticate with An MP that wants to authenticate with other other

MPs using MSAMPs using MSA

– needs to advertise its security policy by needs to advertise its security policy by inserting an inserting an RSN information element RSN information element

(RSNIE)(RSNIE) into beacon or probe response frames into beacon or probe response frames

(since (since MSA is built on top of RSNA).MSA is built on top of RSNA).


107107

* RSNIE (it is the same as that defined in * RSNIE (it is the same as that defined in 802.11i)802.11i)

- It contains information of group cipher suite, pair-wise - It contains information of group cipher suite, pair-wise cipher suite, AKM suite, RSN capability, and PMK-ID. cipher suite, AKM suite, RSN capability, and PMK-ID.

– A A group cipher suitegroup cipher suite is specified in RSNIE for is specified in RSNIE for protecting multicast/broadcast frames. protecting multicast/broadcast frames.

– A list of cipher suite supported in the RSN is specified A list of cipher suite supported in the RSN is specified by the cipher suite count and cipher suite list fields.by the cipher suite count and cipher suite list fields.

– The The list of supported AKM suitelist of supported AKM suite and valid and valid PMK-IDsPMK-IDs are are specified in a similar way.specified in a similar way.


108108


109109

MSCIE and RSNIE also exist in peer link open MSCIE and RSNIE also exist in peer link open and peer link confirm messages.and peer link confirm messages.– these two messages include an these two messages include an MSA handshake MSA handshake

information element (MSAIE),information element (MSAIE), consisting of five consisting of five major fields for authentication:major fields for authentication:

handshake control, MA-ID, selected handshake control, MA-ID, selected authentication and authentication and

Key management (AKM) suite, selected pair-wise Key management (AKM) suite, selected pair-wise cipher cipher

suite, and optional parameters.suite, and optional parameters.


110


110

111111

In In handshake control fieldhandshake control field, if the first bit is set to one, it , if the first bit is set to one, it indicates the MP requests authentication during the initial indicates the MP requests authentication during the initial MSA authentication procedure. Other bits are reserved for MSA authentication procedure. Other bits are reserved for future use.future use.

MA-IDMA-ID is actually the MAC address of the MA that will be is actually the MAC address of the MA that will be used by a supplicant MP to derive the mesh authenticator used by a supplicant MP to derive the mesh authenticator PMK (PMK-MA).PMK (PMK-MA).

The The selected AKM suite selected AKM suite contains information of contains information of authentication type and authentication type and key management key management type used for link type used for link security (e.g., tells whether authentication is based on security (e.g., tells whether authentication is based on 802.1X or PSK)802.1X or PSK)


112

Whether MSA uses RSNA Key Whether MSA uses RSNA Key ManagementManagement

Whether MSA uses RSNA, key management is Whether MSA uses RSNA, key management is also specified in AKM suite.also specified in AKM suite.

The selected pair-wise cipher suite indicates a The selected pair-wise cipher suite indicates a cipher suite used for securing a link.cipher suite used for securing a link.

Whether the ciphering scheme uses WEP, TKIP, Whether the ciphering scheme uses WEP, TKIP, or CCMP can be found from the pair-wise cipher or CCMP can be found from the pair-wise cipher suite.suite.

112

113

Whether MSA uses RSNA Key Whether MSA uses RSNA Key ManagementManagement

If an MP wants to be part of MSA, it needs to select If an MP wants to be part of MSA, it needs to select CCMP as the cipher suite, since the default cipher CCMP as the cipher suite, since the default cipher suite of RSNA is CCMP.suite of RSNA is CCMP.

The optional parameter contains information of variable The optional parameter contains information of variable length.length.

– Different parameters can be sent in this field and Different parameters can be sent in this field and are identified through a different sub-element ID.are identified through a different sub-element ID.For example, MKDID and EAP transport mechanisms are two For example, MKDID and EAP transport mechanisms are two

parameters included in this field.parameters included in this field.113

114


It should be noted that MSCIE, RSNIE, and It should be noted that MSCIE, RSNIE, and

MSAIE are all contained in MSA 4-way MSAIE are all contained in MSA 4-way

handshake using EAPOL-Key frames, more handshake using EAPOL-Key frames, more

specifically in 4-way handshake message 2 and specifically in 4-way handshake message 2 and

message 3.message 3.

114

115

Security ArchitectureSecurity Architecture

115

116


The entire security architecture of IEEE The entire security architecture of IEEE 802.11s WMN is shown in the next slide.802.11s WMN is shown in the next slide.

There are three types of mesh nodes There are three types of mesh nodes involved in a mesh security system of involved in a mesh security system of 802.11s:802.11s:– MKDMKD– MAMA– The supplicantThe supplicant

116

117


There is only one MKD with which multiple There is only one MKD with which multiple MAs are associated.MAs are associated.

A supplicant performs security authentication A supplicant performs security authentication through MAs.through MAs.

The set of MAs, supplicants and the single The set of MAs, supplicants and the single MKD form an MKD Domain (MKDD).MKD form an MKD Domain (MKDD).– Optionally, the MKD is connected to an AS Optionally, the MKD is connected to an AS

through which 802.1X authentication is through which 802.1X authentication is executedexecuted

117

118


When an MP in an 802.11s secure network needs When an MP in an 802.11s secure network needs to establish a secure link with a peer MP:to establish a secure link with a peer MP:– Step 0 - Peer link setup procedure: Step 0 - Peer link setup procedure: the role of an MP is determined and the security the role of an MP is determined and the security

policy is selected. policy is selected. Whether an MP and its peer MP are an 802.1X Whether an MP and its peer MP are an 802.1X

authenticator or the supplicant MP is determined authenticator or the supplicant MP is determined in the peer link management:in the peer link management:If only one MP has already been an MA, this MP is If only one MP has already been an MA, this MP is

usually selected as an 802.1X authenticator, while the usually selected as an 802.1X authenticator, while the other one is an 802.1X supplicant.other one is an 802.1X supplicant.

118

119

Security ArchitectureSecurity ArchitectureIf both MPs have zero in “Connected to MKD” bit, then If both MPs have zero in “Connected to MKD” bit, then

the MP with a larger MAC address or the selector MP is the MP with a larger MAC address or the selector MP is the 802.1X authenticator.the 802.1X authenticator.

If both MPs have one in the “Connected to MKD” bit, If both MPs have one in the “Connected to MKD” bit, then the MP that requests authentication is the then the MP that requests authentication is the supplicant. supplicant.

Otherwise, if both request or neither requests Otherwise, if both request or neither requests authentication, then the selector MP is the 802.1X authentication, then the selector MP is the 802.1X authenticator.authenticator.

119

120


– Step 1 – MSA authentication: Step 1 – MSA authentication:

Depends on whether this MP has established Depends on whether this MP has established a secure link with a peer MP before: a secure link with a peer MP before: If no such a secure link was set up before within the If no such a secure link was set up before within the

same MKDD, a procedure of initial MSA authentication same MKDD, a procedure of initial MSA authentication

is needed to set up the mesh key hierarchy.is needed to set up the mesh key hierarchy.

120

121


• Step 1.1:Step 1.1: the authenticator MP initiates the 802.1X the authenticator MP initiates the 802.1X authentication with the supplicant MP using EAPOL authentication with the supplicant MP using EAPOL messages in 802.11 data frames.messages in 802.11 data frames.

• Step 1.2:Step 1.2: The 802.1X message may be transported between The 802.1X message may be transported between the MA and the MKD, so an EAP message transport protocol the MA and the MKD, so an EAP message transport protocol is defined between the MKD and the authenticator MP.is defined between the MKD and the authenticator MP.

• Upon successful completion of 802.1X authentication, the Upon successful completion of 802.1X authentication, the MKD receives the MSK and then generates PMK-MKD and MKD receives the MSK and then generates PMK-MKD and PMK-MA.PMK-MA.

* If no 802.1X authentication is needed, PSK is used to * If no 802.1X authentication is needed, PSK is used to generate PMK-MKD and PMK-MA.generate PMK-MKD and PMK-MA. 121

122


– Step 2: Step 2: the 802.1X authenticator MP the 802.1X authenticator MP establishes a mesh key holder security establishes a mesh key holder security association with the MKD:association with the MKD:

Encryption keys for security key distribution Encryption keys for security key distribution between MA and MKD are derived (unless the between MA and MKD are derived (unless the authenticator MP has already been an MA and authenticator MP has already been an MA and established a security association with the established a security association with the MKD)MKD)

122

123


– Step 3:Step 3: the MKD delivers the PMK-MA to the MA the MKD delivers the PMK-MA to the MA

using a mesh key transport protocolusing a mesh key transport protocol

123

124


Step 4:Step 4: – the MSA authentication proceeds with an the MSA authentication proceeds with an

MSA 4-way handshake using the existing MSA 4-way handshake using the existing mesh key hierarchy to set up a PTK between mesh key hierarchy to set up a PTK between the MA and the supplicant MP.the MA and the supplicant MP.

– After the 4-way handshake, the two MPs can After the 4-way handshake, the two MPs can initiate the group key handshake procedure initiate the group key handshake procedure to update their GTK.to update their GTK.

124

125

Detailed Procedures of Major Function Detailed Procedures of Major Function BlocksBlocks

Peer Link Setup and InitializationPeer Link Setup and Initialization When an MP needs to establish a secure link with a peer When an MP needs to establish a secure link with a peer

MP, a peer link setup procedure is first executed.MP, a peer link setup procedure is first executed.

During this procedure, a lot of security parameters are During this procedure, a lot of security parameters are verified (the security policy, security role, AMK suite, etc.).verified (the security policy, security role, AMK suite, etc.).

The AKM suite and pairwise cipher suite are selected by a The AKM suite and pairwise cipher suite are selected by a selector MP.selector MP.

The peer link management procedure is not designed fully The peer link management procedure is not designed fully for MSA, but for a general purpose of maintaining a link for MSA, but for a general purpose of maintaining a link between an MP and its peer or candidate peer MP. between an MP and its peer or candidate peer MP.

125

126

Detailed Procedures of Major Function Detailed Procedures of Major Function BlocksBlocks

There are two modes of setting up such a link:There are two modes of setting up such a link:– Passive:Passive: A local MP listens to the peer link open messages from A local MP listens to the peer link open messages from

candidate peer MPs. candidate peer MPs. If it can set up a link to a candidate peer MP, it sends a If it can set up a link to a candidate peer MP, it sends a

peer link confirm message back to the candidate peer peer link confirm message back to the candidate peer MP.MP.

– Active:Active: The local MP actively sends a peer link open message The local MP actively sends a peer link open message

in which the MAC of the candidate peer MP is specified. in which the MAC of the candidate peer MP is specified. The local MP receives such a message shall send back a The local MP receives such a message shall send back a

peer link confirm message to the candidate peer MP.peer link confirm message to the candidate peer MP.126

127

Peer Link Setup and InitializationPeer Link Setup and Initialization

Because of the two modes, a local MP needs Because of the two modes, a local MP needs to both send and receive peer link open and to both send and receive peer link open and peer link confirm messages in MSA.peer link confirm messages in MSA.

When it sends a peer link open message to When it sends a peer link open message to the candidate peer MP, RSNIE, MSCIE, and the candidate peer MP, RSNIE, MSCIE, and MSAIE must be configured and included in MSAIE must be configured and included in this message:this message:

127

128

Peer Link Setup and InitializationPeer Link Setup and Initialization

RSNIE:RSNIE:– Configured the same as that of RSIE in beacon or probe Configured the same as that of RSIE in beacon or probe

response frames of this MP except that the PMK-ID field needs response frames of this MP except that the PMK-ID field needs to be configured to include PMK-MA Name for both sender and to be configured to include PMK-MA Name for both sender and receiver if a previous PMK-MA has been established.receiver if a previous PMK-MA has been established.

– For the PMK-MA Name of the sender, this field is empty if no For the PMK-MA Name of the sender, this field is empty if no PMK-MA exists or the local MP requests initial MSA PMK-MA exists or the local MP requests initial MSA authentication; authentication;

– otherwise, it contains the PMK-MA of the mesh key hierarchy otherwise, it contains the PMK-MA of the mesh key hierarchy created during the previous initial MSA authentication.created during the previous initial MSA authentication.

– For the PMT-MA Name of the receiver, this field contains a valid For the PMT-MA Name of the receiver, this field contains a valid PMK-MA created by the candidate peer MP during its previous PMK-MA created by the candidate peer MP during its previous initial MSA authentication.initial MSA authentication. 128

129

Peer Link Setup and Peer Link Setup and InitializationInitialization

MSCIE:MSCIE: This field is set exactly the same as that in beacon or probe This field is set exactly the same as that in beacon or probe response frames.response frames.

MSAIE: MSAIE: All fields set to zero except:All fields set to zero except:– Request Authentication:Request Authentication: one if the local MP requests initial MSA authentication, zero if one if the local MP requests initial MSA authentication, zero if

RSNIE contains PMK-ID entriesRSNIE contains PMK-ID entries

– AKM Suite:AKM Suite: If the local MP is a selector MP, this subfield contains the one selected by the If the local MP is a selector MP, this subfield contains the one selected by the local MP.local MP.

– Pairwise Cipher Suite:Pairwise Cipher Suite: If the local MP is a selector MP, this subfield contains pairwise If the local MP is a selector MP, this subfield contains pairwise cipher suite selected by the local MP.cipher suite selected by the local MP.

– PMK-MKD Name:PMK-MKD Name: This subfield exists if the PMK-MA Name of the sender is present in This subfield exists if the PMK-MA Name of the sender is present in RSNIE.RSNIE.

129

130


When the local MP receives such a message, it should When the local MP receives such a message, it should verify the following information:verify the following information:– Default Role Negotiation in MSCIE:Default Role Negotiation in MSCIE: this field in MSCIE in the receive this field in MSCIE in the receive

message must be identical to the one in MSCIE of the local MPs message must be identical to the one in MSCIE of the local MPs beacons or probe responses.beacons or probe responses.

– Group Cipher Suite in RSNIE:Group Cipher Suite in RSNIE: check if this group cipher suite is check if this group cipher suite is supported.supported.

– List of AKM Suite and Pairwise Cipher Suite in RSNIE:List of AKM Suite and Pairwise Cipher Suite in RSNIE: check if its check if its supported AKM suite and pairwise cipher supported AKM suite and pairwise cipher suite is included in the list.suite is included in the list.

– Selected AKM Suite and Pairwise Cipher Suite in MSAIE:Selected AKM Suite and Pairwise Cipher Suite in MSAIE: if the local MP if the local MP is not a selector MP, it needs to verify if these suites can be is not a selector MP, it needs to verify if these suites can be supported.supported.

130

131


If the verification fails, then the local MP If the verification fails, then the local MP shall trigger an event of closing the link.shall trigger an event of closing the link.

Otherwise, it needs to check if a peer link Otherwise, it needs to check if a peer link confirmation has been received. confirmation has been received.

If so, then the local MP should make sure If so, then the local MP should make sure all major fields in all major fields in RSNIE, MSCIE, and MSAIERSNIE, MSCIE, and MSAIE of these two message match each other.of these two message match each other.

131

132


After this check, additional operations After this check, additional operations are carried out, such as the role are carried out, such as the role selection procedure.selection procedure.

Once the peer link open message is Once the peer link open message is successfully processed, the local MP successfully processed, the local MP continues the next step according to the continues the next step according to the finite state machine of peer link finite state machine of peer link management.management.

132

133


When a peer link confirmation message is sent, RSNIE, MSCIE, When a peer link confirmation message is sent, RSNIE, MSCIE, and MSAIE are configured as follows:and MSAIE are configured as follows:

RSNIERSNIE– Except for the PMK-ID list, the RSNIE of this message needs to be the Except for the PMK-ID list, the RSNIE of this message needs to be the

same as that of this local MP’s peer link open message or beacon and same as that of this local MP’s peer link open message or beacon and probe response frames.probe response frames.

– If initial MSA authentication will happen after peer link setup, the If initial MSA authentication will happen after peer link setup, the PMK-ID is empty.PMK-ID is empty.

– Otherwise, it includes the PMK-MA Name chosen in the key selection Otherwise, it includes the PMK-MA Name chosen in the key selection procedureprocedure

MSCIE: MSCIE: It must be the same as that in this local MP’s peer link open It must be the same as that in this local MP’s peer link open message or beacon and probe response frames.message or beacon and probe response frames.

133

134


MSAIE:MSAIE: – Except the following subfields, all other subfields Except the following subfields, all other subfields

are set to zero.are set to zero.– Request Authentication:Request Authentication: set to one if the local MP set to one if the local MP

requests initial MSA authentication.requests initial MSA authentication.– MA-ID:MA-ID: contains the MAC address of the 802.1X contains the MAC address of the 802.1X

authenticator.authenticator.– AKM Suite and Pairwise Cipher Suite:AKM Suite and Pairwise Cipher Suite: shall be the shall be the

same as those in peer link open messages or same as those in peer link open messages or selected from those supported by both the local selected from those supported by both the local MP and the peer MP.MP and the peer MP. 134

135


– Optional Parameter List: Optional Parameter List: If the local MP is an 802.1X authenticator, the MKD-If the local MP is an 802.1X authenticator, the MKD-

NAS-ID needs to be present in the parameter list.NAS-ID needs to be present in the parameter list.

If the local MP requests initial MSA authentication and If the local MP requests initial MSA authentication and also plays the 802.1X authenticator’s role, the MKD-ID also plays the 802.1X authenticator’s role, the MKD-ID in the parameter list shall contain the identifier of the in the parameter list shall contain the identifier of the MKD with which the local MP has a security MKD with which the local MP has a security association.association.

EAP transport list shall be specified.EAP transport list shall be specified.135

136


When the local MP receives a peer link When the local MP receives a peer link confirmation message, it follows a different confirmation message, it follows a different procedure to process this message depending procedure to process this message depending on whether a peer link open message has been on whether a peer link open message has been received.received.

136

137


If a peer link open message has been received, the If a peer link open message has been received, the peer link confirmation message is processed as peer link confirmation message is processed as follows:follows:– MSCIE and Handshake Control in MSAIE:MSCIE and Handshake Control in MSAIE: must be must be

identical to those received in the peer link open identical to those received in the peer link open message.message.

– RSNIE:RSNIE: PMKID list must match the local MP’s key PMKID list must match the local MP’s key selection procedure. Other subfields must be the same selection procedure. Other subfields must be the same as those in RSNIE of the peer link open message.as those in RSNIE of the peer link open message.

– MA-ID in MSAIE:MA-ID in MSAIE: The role of 802.1X authenticator needs The role of 802.1X authenticator needs to match the role selection procedure.to match the role selection procedure.

– AKM Suite and Pairwise Cipher Suite:AKM Suite and Pairwise Cipher Suite: must be the same must be the same as those in the peer link open message.as those in the peer link open message.

137

138


Otherwise, the selected AKM suite and pairwise Otherwise, the selected AKM suite and pairwise cipher suite need to be verified. cipher suite need to be verified.

Such suites need to be supported by the local Such suites need to be supported by the local MP. MP.

Additionally, if the local MP is a selector MP, they Additionally, if the local MP is a selector MP, they need to match those selected by this local MP.need to match those selected by this local MP.

After peer link management, the local MP and its After peer link management, the local MP and its peer MP are selected as either an 802.1X peer MP are selected as either an 802.1X authenticator or supplicant.authenticator or supplicant. 138

139

Initial MSA Authentication

If initial MSA authentication is requested by If initial MSA authentication is requested by the supplicant MP during the peer link the supplicant MP during the peer link management procedures, a key hierarchy management procedures, a key hierarchy needs to be created after peer link needs to be created after peer link management is done.management is done.

139

140

802.1X Authentication for Creating Mesh Key Hierarchy

If 802.1X authentication is required by the If 802.1X authentication is required by the negotiated AKM suite, EAPOL messages are negotiated AKM suite, EAPOL messages are exchanged to perform 802.1X authentication.exchanged to perform 802.1X authentication.

The authenticator MP initiates 802.1X message The authenticator MP initiates 802.1X message exchange with the supplicant MP via EAPOL exchange with the supplicant MP via EAPOL frames being sent in IEEE 802.11 data frames.frames being sent in IEEE 802.11 data frames.

140

141


When it is properly configured, the MA starts the first When it is properly configured, the MA starts the first EAP message.EAP message.

If the authenticator MP is not configured to send the If the authenticator MP is not configured to send the first EAP message, it requests the EAP message from first EAP message, it requests the EAP message from the AS.the AS.– The authenticator MP does so by constructing an EAP The authenticator MP does so by constructing an EAP

encapsulation request message and then sending it to encapsulation request message and then sending it to the MKD. the MKD.

– Such a message is an EAP encapsulation MSA mesh Such a message is an EAP encapsulation MSA mesh action frame but does not contain EAP message action frame but does not contain EAP message subfield.subfield. 141

142


When the authenticator MP receives an EAP When the authenticator MP receives an EAP message from the supplicant MP, this message message from the supplicant MP, this message is encapsulated into an EAP encapsulation is encapsulated into an EAP encapsulation MSA mesh action frame and sent to the MKD.MSA mesh action frame and sent to the MKD.

When the MKD receives an EAP message from When the MKD receives an EAP message from AS with a destination to the supplicant, this AS with a destination to the supplicant, this message is also encapsulated into an EAP message is also encapsulated into an EAP encapsulation MSA mesh action frame and encapsulation MSA mesh action frame and sent to the authenticator MP.sent to the authenticator MP.

142

143


If the AS informs the MKD of accepting or rejecting the supplicant’s If the AS informs the MKD of accepting or rejecting the supplicant’s access, the MKD sends to the authenticator MP the final EAP access, the MKD sends to the authenticator MP the final EAP encapsulation MSA mesh action frame that contains the status of EAP encapsulation MSA mesh action frame that contains the status of EAP authentication. authentication.

This final action frame is also called an EAP encapsulation response This final action frame is also called an EAP encapsulation response message.message.

When the authenticator MP receives this message, if EAP When the authenticator MP receives this message, if EAP authentication succeeds, the supplicant is granted access; authentication succeeds, the supplicant is granted access;

Otherwise, the authenticator shall close the peer link with the Otherwise, the authenticator shall close the peer link with the supplicant.supplicant.

143

144

PSK for Creating Mesh Key PSK for Creating Mesh Key Hierarchy Hierarchy

If 802.1X authentication is not needed, then If 802.1X authentication is not needed, then the key hierarchy is created directly from the key hierarchy is created directly from PSK. PSK.

No EAP message transport is involved in this No EAP message transport is involved in this case.case.

144

145

Mesh Key Holder Security Mesh Key Holder Security AssociationAssociation

Purposes of carrying mesh key holder security Purposes of carrying mesh key holder security association:association:1.1. An MP that is selected as an 802.1X authenticator An MP that is selected as an 802.1X authenticator

can begin to operate as an MA after completing a can begin to operate as an MA after completing a security association with the MKD. security association with the MKD.

2. The message integrity and data origin 2. The message integrity and data origin authenticity can be ensured for all message authenticity can be ensured for all message exchanged between the MA and the MKD after exchanged between the MA and the MKD after security association is established.security association is established.

3. An encryption scheme is provided to protect the 3. An encryption scheme is provided to protect the

derived keys and their contexts delivered from derived keys and their contexts delivered from the MKD to the MA.the MKD to the MA. 145

146


Consists of two phases: Consists of two phases:

1. MKD discovery: 1. MKD discovery: If the MP is not an MKD, it needs to If the MP is not an MKD, it needs to obtain the MKD-ID from the MSAIE of a obtain the MKD-ID from the MSAIE of a peer link confirm message.peer link confirm message.

146

147


2. Mesh key holder security handshake:2. Mesh key holder security handshake:– With a discovered MKD, the security handshake With a discovered MKD, the security handshake

process is started by the MP that has successfully process is started by the MP that has successfully finished initial MSA authentication. finished initial MSA authentication.

– At this stage, the MP is called “aspirant MA”.At this stage, the MP is called “aspirant MA”.

– The aspirant MA sends handshake message 1 to the The aspirant MA sends handshake message 1 to the MKD. MKD.

– In this message, the EAP transport mechanism In this message, the EAP transport mechanism selected by the aspirant MA is included.selected by the aspirant MA is included.

147

148


– Upon receiving message 1, the MKD verifies if the Upon receiving message 1, the MKD verifies if the EAP transport mechanism can be supported:EAP transport mechanism can be supported: If it is not supported, the handshake fails. If it is not supported, the handshake fails. Otherwise, the MKD chooses an MKD-Nonce and derives the Otherwise, the MKD chooses an MKD-Nonce and derives the mesh pairwise transient key for key distribution (MPTK-KD) mesh pairwise transient key for key distribution (MPTK-KD) based on the MKD-Nonce and the MA-Nonce in message 1. based on the MKD-Nonce and the MA-Nonce in message 1.

– The MKD then sends the handshake message 2 to The MKD then sends the handshake message 2 to the aspirant MA.the aspirant MA.

– After message 2 is received, the aspirant MA After message 2 is received, the aspirant MA derives the MPTK-KD. derives the MPTK-KD.

148

149

Mesh Key Holder Security AssociationMesh Key Holder Security Association

– If no problem is found in the received message 2, the If no problem is found in the received message 2, the aspirant MA sends the handshake message 3 to the MKD aspirant MA sends the handshake message 3 to the MKD and completes the entire mesh key holder security and completes the entire mesh key holder security handshake process.handshake process.

– After this process is successfully done, the aspirant MA After this process is successfully done, the aspirant MA becomes an MA and assigns one to the “Mesh becomes an MA and assigns one to the “Mesh Authenticator” bit and the “Connected to MKD” bit in Authenticator” bit and the “Connected to MKD” bit in MSCIE of beacons or probe responses. MSCIE of beacons or probe responses.

– The MSCIE shall also contain the MKDD-ID received from The MSCIE shall also contain the MKDD-ID received from MKD in handshake message 2.MKD in handshake message 2.

149

150

Mesh Key Holder Security AssociationMesh Key Holder Security Association

– The MA shall maintain a mesh path to the MKD. The MA shall maintain a mesh path to the MKD.

– If the path is lost, the “Connected to MKD” bit If the path is lost, the “Connected to MKD” bit needs to set to zero, but the MA can still play needs to set to zero, but the MA can still play the 802.1X authenticator role using cached keys.the 802.1X authenticator role using cached keys.

– Upon deriving the MPTK-KD, both the MKD and Upon deriving the MPTK-KD, both the MKD and the MA shall reset the replay counter that is the MA shall reset the replay counter that is used for mesh key transport.used for mesh key transport.

150

151

Mesh Key Transport from MKD to MAMesh Key Transport from MKD to MA

The mesh key transport protocol completes two tasks:The mesh key transport protocol completes two tasks:1.1. Securely deliver the derived PMK-MA and its related Securely deliver the derived PMK-MA and its related

information from MKD to MAinformation from MKD to MA– Two mechanisms are specified: Two mechanisms are specified:

Pull protocol:Pull protocol:

- initiated by the MA by sending a request message to the MKD. - initiated by the MA by sending a request message to the MKD.

- Upon receiving such a request, - Upon receiving such a request, the MKD sends back the derived PMK-the MKD sends back the derived PMK-MA.MA.

Push protocol:Push protocol: - the MKD sends the PMK-MA to the MA without solicitation. - the MKD sends the PMK-MA to the MA without solicitation.

- - However, the MKD needs to receive a confirmation message from the However, the MKD needs to receive a confirmation message from the MA.MA.

151

152


2.2. Request the MA to delete a previously Request the MA to delete a previously delivered PMK-MA:delivered PMK-MA:

– The MKD initiates the process by sending a key deletion The MKD initiates the process by sending a key deletion request to the MA. request to the MA.

– The MA deletes the key upon receiving this message The MA deletes the key upon receiving this message and shall send back a confirmation message to the and shall send back a confirmation message to the MKD.MKD.

152

153


In all three mechanisms, the MKD and the MA maintain In all three mechanisms, the MKD and the MA maintain different replay counters.different replay counters.– The replay counter is incremented by the initiator of each The replay counter is incremented by the initiator of each

mechanism and is attached in the first message.mechanism and is attached in the first message.

– The recipient verifies if the counter is not used by previous first The recipient verifies if the counter is not used by previous first messages.messages.

– If it is used before, then the message is discarded. If it is used before, then the message is discarded.

– Since both the MKD and the MA may be an initiator, both Since both the MKD and the MA may be an initiator, both maintain a replay counter.maintain a replay counter.

153

154


In all messages of mesh key transport In all messages of mesh key transport protocol, MIC is included for integrity protocol, MIC is included for integrity protection.protection.

In addition, in both the pull and push In addition, in both the pull and push protocols, the PMK-MA is encrypted.protocols, the PMK-MA is encrypted.

154

155

Mesh 4-Way Handshake Mesh 4-Way Handshake

Similar to that of IEEE 802.11i except that:Similar to that of IEEE 802.11i except that:

– Message 1: Message 1:

The ANonce here is the MPTKANonce which is The ANonce here is the MPTKANonce which is obtained by the MA from the MKD during the PMK-MA obtained by the MA from the MKD during the PMK-MA delivery. delivery.

As in IEEE 802.11i, the key data field is empty.As in IEEE 802.11i, the key data field is empty.

155

156


– Message 2: Message 2:

The SN once is the MPTKSNonce. The SN once is the MPTKSNonce.

The key data field includes encrypted information of RSNIE, The key data field includes encrypted information of RSNIE, MSCIE, MSAIE, and GTK key data encapsulation (KDE). MSCIE, MSAIE, and GTK key data encapsulation (KDE).

RSNIE may also include PMK-MAName in the PMK-ID list. RSNIE may also include PMK-MAName in the PMK-ID list.

RSNIE, MSCIE, and MSAIE must be consistent with those in RSNIE, MSCIE, and MSAIE must be consistent with those in peer link confirm message sent by the supplicant MP.peer link confirm message sent by the supplicant MP.

156

157


– Message 3: Message 3: The message contains an MPTKANonce. Additionally, the The message contains an MPTKANonce. Additionally, the

key data field includes RSNIE, MSCIE, MSAIE, GTK-KDE, key data field includes RSNIE, MSCIE, MSAIE, GTK-KDE, and lifetime KDE. and lifetime KDE.

RSNIE, MSCIE,RSNIE, MSCIE,and MSAIE must be consistent with those in peer and MSAIE must be consistent with those in peer link confirm message sent by the MA, and PMK-MAName must be in link confirm message sent by the MA, and PMK-MAName must be in the PMK-ID list in RSNIE. the PMK-ID list in RSNIE.

The lifetime KDE contains the lifetime of PMK-MA.The lifetime KDE contains the lifetime of PMK-MA.

– Message 4:Message 4: This message is the same as that in IEEE 802.11i.This message is the same as that in IEEE 802.11i.

157

158


After the MSA 4-way handshake completes, both After the MSA 4-way handshake completes, both the MA and the supplicant MP open the 802.1X the MA and the supplicant MP open the 802.1X controlled port. controlled port.

Subsequent EAPOL-key frames rely on key replay Subsequent EAPOL-key frames rely on key replay counter to protect messages from being counter to protect messages from being replayed.replayed.

Pairwise cipher suite is used to protect messages Pairwise cipher suite is used to protect messages encrypted with PTK.encrypted with PTK.

158

159

Limitations and Challenging Limitations and Challenging IssuesIssues

1. Complexity, Overhead, and Performance:1. Complexity, Overhead, and Performance: The procedures are so complicated that it is hard The procedures are so complicated that it is hard

to predict the performance for two reasons:to predict the performance for two reasons:The more complicated operation procedures in a security The more complicated operation procedures in a security

protocol, the higher possibilities that the security can be protocol, the higher possibilities that the security can be compromised, since more components are subject to security compromised, since more components are subject to security attacks.attacks.

The overhead of the protocol is really unknown.The overhead of the protocol is really unknown.

Thus, a full investigation of security performance Thus, a full investigation of security performance is needed for the 802.11s security protocol.is needed for the 802.11s security protocol.

159

160


2. How 2. How to to DeteDeterminrmine e MKD:MKD:

there is no method for determining how an MKD is selected.there is no method for determining how an MKD is selected. Randomly picking an MP as an MKD is not a solution.Randomly picking an MP as an MKD is not a solution. In addition, for scalability reason, it may need to consider if In addition, for scalability reason, it may need to consider if

only one MKD is enough in a large WMN. only one MKD is enough in a large WMN. If not, then a mechanism needs to be defined to handle the If not, then a mechanism needs to be defined to handle the

security operations when multiple MKDs co-exist.security operations when multiple MKDs co-exist.

160

161


3. Peer Link 3. Peer Link Management Management and Role and Role Selection Selection Procedure:Procedure:

the standard draft lacks a mechanism considering the scenario where a new MP needs to set up a peer link with an MA or the standard draft lacks a mechanism considering the scenario where a new MP needs to set up a peer link with an MA or a supplicant MP. a supplicant MP. For example, if the same peer link management and role selection procedure is applied for the peer link setup between the new MP and an MA, it is possible that For example, if the same peer link management and role selection procedure is applied for the peer link setup between the new MP and an MA, it is possible that

the new MP is selected as an authenticator but the MA’s role becomes a supplicant.the new MP is selected as an authenticator but the MA’s role becomes a supplicant.Such a conflict should be resolved efficiently; otherwise, frequent flip of function role of an MP can cause un-necessary overhead and also damage security of Such a conflict should be resolved efficiently; otherwise, frequent flip of function role of an MP can cause un-necessary overhead and also damage security of

802.11sWMNs.802.11sWMNs.

161

162

Future DirectionsFuture Directions

1. Improve existing security schemes1. Improve existing security schemesA security scheme proposed for other wireless networks A security scheme proposed for other wireless networks may not be applicable to WMNs. may not be applicable to WMNs.

However, some schemes, with modifications or However, some schemes, with modifications or improvement, can be still applied to WMN, e.g.,: improvement, can be still applied to WMN, e.g.,: – The security mechanism proposed in IEEE 802.11i can be The security mechanism proposed in IEEE 802.11i can be

applied as one component for the future IEEE 802.11 applied as one component for the future IEEE 802.11 WMNs, i.e., for the security between mesh clients and WMNs, i.e., for the security between mesh clients and mesh routers.mesh routers.

– The security mechanism in IEEE 802.16 mesh mode is still The security mechanism in IEEE 802.16 mesh mode is still not enough to support mobile terminals. However, for the not enough to support mobile terminals. However, for the communications among mesh routers, a framework has communications among mesh routers, a framework has been specified.been specified. 162

163


– The key management scheme, secure routing protocols, and The key management scheme, secure routing protocols, and so on proposed for mobile ad hoc networks are good so on proposed for mobile ad hoc networks are good examples of security schemes for a distributed multi-hop examples of security schemes for a distributed multi-hop wireless networks. wireless networks.

– Thus, the key idea in these schemes can be borrowed for Thus, the key idea in these schemes can be borrowed for WMNs. WMNs.

It should be noted that the security algorithms for It should be noted that the security algorithms for encryption, authentication, or MIC have been thoroughly encryption, authentication, or MIC have been thoroughly researched in various wireless networks.researched in various wireless networks.

The remaining work for these algorithms is to modify it to be The remaining work for these algorithms is to modify it to be applicable to WMNs and to evaluate the enhanced version applicable to WMNs and to evaluate the enhanced version under the WMN environment accordingly.under the WMN environment accordingly.

163

164


2. Develop new security protocols2. Develop new security protocolsBesides enhancement to existing security Besides enhancement to existing security schemes, novel security mechanisms are schemes, novel security mechanisms are also desired. In particular:also desired. In particular:– New secure protocols in MAC need to be New secure protocols in MAC need to be

developed, because the specific features of developed, because the specific features of WMNs make a MAC protocol in WMNs be WMNs make a MAC protocol in WMNs be significantly different from that in any other significantly different from that in any other networks.networks.

164

165


– A new trend of MAC and routing protocol design A new trend of MAC and routing protocol design is to have cross-layer design:is to have cross-layer design:

In the on-going IEEE 802.11s standardization efforts, one option for In the on-going IEEE 802.11s standardization efforts, one option for MAC and routing is to have their major functions merged into one MAC and routing is to have their major functions merged into one protocol layer, i.e., a layer-2 routing protocol will be specified. protocol layer, i.e., a layer-2 routing protocol will be specified.

Such a methodology totally breaks the traditional layered-design for Such a methodology totally breaks the traditional layered-design for routing and MAC protocols, and thus make the existing secure routing and MAC protocols, and thus make the existing secure routing or MAC protocols not applicable to the final IEEE routing or MAC protocols not applicable to the final IEEE 802.11WMNs.802.11WMNs.

165

166


3. Security monitoring and response 3. Security monitoring and response systemssystems

– Done directly through other security schemes such as Done directly through other security schemes such as authentication, message integrity check, or secure authentication, message integrity check, or secure networking protocols. networking protocols.

– Once abnormal events are captured by these security Once abnormal events are captured by these security schemes, responses should be made to prevent schemes, responses should be made to prevent further attacks.further attacks. 166

167


– May work independently from any other May work independently from any other security schemes, which is a more attractive security schemes, which is a more attractive approach, since it adds one more counter-approach, since it adds one more counter-attack measure to WMNs. attack measure to WMNs.

For example, a security model can be built based on user profiles For example, a security model can be built based on user profiles of transmission rates, traffic types, mobility, etc.of transmission rates, traffic types, mobility, etc.

167

168


– Cross-layer design is also needed for security Cross-layer design is also needed for security monitoring and response systems.monitoring and response systems. How to design and implement a practical security monitoring How to design and implement a practical security monitoring

system for system for

WMNs has never been researched.WMNs has never been researched.

168

169


4. Virtual Private Networking (VPN) 4. Virtual Private Networking (VPN) – It has become an effective scheme to provide a It has become an effective scheme to provide a

secure network overall public networks.secure network overall public networks.

– It can also be adopted to establish a secure network It can also be adopted to establish a secure network over WMNs.over WMNs.

The mechanism of VPN is independent of the security issues of The mechanism of VPN is independent of the security issues of WMNs, and is thus out of the scope of WMN security.WMNs, and is thus out of the scope of WMN security.

It should be noted that a security attack to WMNs impacts VPN It should be noted that a security attack to WMNs impacts VPN by failing or degrading WMNs; it usually cannot capture the by failing or degrading WMNs; it usually cannot capture the encrypted information in VPN.encrypted information in VPN.

169

170

Multi-Layer Design for WMN SecurityMulti-Layer Design for WMN Security

Developing security schemes in each Developing security schemes in each protocol layer is necessary:protocol layer is necessary:– However, security attacks may come However, security attacks may come

simultaneously from different protocol layerssimultaneously from different protocol layersA multi-protocol layer security scheme is A multi-protocol layer security scheme is

desired for WMNs:desired for WMNs:– Cross-layer design is inherently embedded in Cross-layer design is inherently embedded in

the framework of multi-layer design.the framework of multi-layer design.The major components of the multi-layer and The major components of the multi-layer and

cross-layer approach to WMN security are:cross-layer approach to WMN security are:170

171

Multi-Layer Design for WMN SecurityMulti-Layer Design for WMN Security

1. Robust Physical Layer Technique1. Robust Physical Layer Technique

– The most brute-force and also the most devastating The most brute-force and also the most devastating security attack is jamming.security attack is jamming.

– Once the security in the physical layer is broken due to Once the security in the physical layer is broken due to jamming, the entire wireless network just does not work jamming, the entire wireless network just does not work anymore, no matter what security schemes are adopted anymore, no matter what security schemes are adopted in upper layers.in upper layers.

– It is necessary to develop physical layer techniques that It is necessary to develop physical layer techniques that are robust to jamming and co-channel interference.are robust to jamming and co-channel interference. 171

172

Multi-Layer Design for WMN Multi-Layer Design for WMN SecuritySecurity

2. Secure Link-Layer Protocols2. Secure Link-Layer Protocols– When nodes come on-line, they need to be associated with When nodes come on-line, they need to be associated with

network before joining the network.network before joining the network.– Secure associations are different for clients and mesh Secure associations are different for clients and mesh

routers:routers:Mesh routers are part of the WMN infrastructure, and their security can be Mesh routers are part of the WMN infrastructure, and their security can be

better guaranteed, becausebetter guaranteed, because1) more powerful encryption algorithm can be adopted;1) more powerful encryption algorithm can be adopted;

2) no security-related information will be released to users2) no security-related information will be released to users..

For network association of a mesh client, standard security schemes must For network association of a mesh client, standard security schemes must be adopted in order to avoid denial of service to clients.be adopted in order to avoid denial of service to clients.

– The same security mechanism for network association must The same security mechanism for network association must be applied to network access. When a mesh router is be applied to network access. When a mesh router is considered, it has connectivity to both mesh clients and considered, it has connectivity to both mesh clients and other mesh routers.other mesh routers. 172

173


3. Secure Network-Layer Protocols3. Secure Network-Layer Protocols

– In the secure routing protocol, integrity must be In the secure routing protocol, integrity must be guaranteed for the messages that establish a guaranteed for the messages that establish a routing path. routing path.

– Security schemes in the MAC layer cannot Security schemes in the MAC layer cannot guarantee the integrity for routing messages.guarantee the integrity for routing messages.

– A straightforward solution is to authenticate A straightforward solution is to authenticate routing message hop by hop:routing message hop by hop:Inefficient due to the per-hop authentication.Inefficient due to the per-hop authentication.

173

174


– Alternative:Alternative: authentication of routing messages authentication of routing messages only performed in two sectors: one is between only performed in two sectors: one is between mesh clients and mesh routers, the other is mesh clients and mesh routers, the other is within the mesh backbone consisting of mesh within the mesh backbone consisting of mesh routers.routers.Supports client mobility more efficiently!Supports client mobility more efficiently!

– Data forwarding is usually protected by Data forwarding is usually protected by detection and reaction to malicious behavior of detection and reaction to malicious behavior of intermediate users:intermediate users:In WMNs, the intermediate nodes are usually mesh routers, and In WMNs, the intermediate nodes are usually mesh routers, and

thus, the chance of being attacked by malicious users is low.thus, the chance of being attacked by malicious users is low. 174

175


4. Secure Transport4. Secure Transport– In case the security in all lower layers is compromised, In case the security in all lower layers is compromised,

the last resort that we rely on is secure transport the last resort that we rely on is secure transport technology.technology.

– Today secure sockets layer (SSL) and its successor, Today secure sockets layer (SSL) and its successor, transport layer security (TLS), have successfully transport layer security (TLS), have successfully provided security for end-to-end communications.provided security for end-to-end communications.

– Thus, no new secure transport protocols are really Thus, no new secure transport protocols are really needed. However, it is necessary to adopt secure needed. However, it is necessary to adopt secure transport protocols as an integral part of the overall transport protocols as an integral part of the overall security solution to WMNs.security solution to WMNs.

175

176

Research Issues in the Multi-Layer Research Issues in the Multi-Layer SecuritySecurity

1. Secure mesh network infrastructure1. Secure mesh network infrastructure

Secure association/authentication among mesh routers:Secure association/authentication among mesh routers:

– More powerful encryption algorithms are employed for network More powerful encryption algorithms are employed for network association between mesh routers to increase security association between mesh routers to increase security performance.performance.

– Since the same association procedure is used in a mesh router Since the same association procedure is used in a mesh router for both mesh clients and other mesh routers, it needs to be for both mesh clients and other mesh routers, it needs to be modified to taken into account the differentiation between modified to taken into account the differentiation between clients and routers.clients and routers.

– Another change to the association procedure is that it needs to Another change to the association procedure is that it needs to support secure association with different wireless networks. support secure association with different wireless networks.

– For example, an IEEE 802.11 mesh router may need to be For example, an IEEE 802.11 mesh router may need to be associated with another IEEE 802.11 mesh router and an IEEE associated with another IEEE 802.11 mesh router and an IEEE 802.16 mesh router.802.16 mesh router.

176

177


2. 2. ProtProtectioection of n of mesmesh h manmanageagement ment and and contrcontrol ol messmessagesages

– To maintain a secure mesh backbone, management messages and control messages need to be protected.To maintain a secure mesh backbone, management messages and control messages need to be protected.– Simply periodic transmission can only provide stability but not security.Simply periodic transmission can only provide stability but not security.– When a malicious node also sends out these messages with different contents, mesh routers will be confused by such messages, and thus, When a malicious node also sends out these messages with different contents, mesh routers will be confused by such messages, and thus,

the mesh backbone can be easily partitioned.the mesh backbone can be easily partitioned.– Encryption is needed to send these messages and authentication is required for receiving them.Encryption is needed to send these messages and authentication is required for receiving them.– Challenge:Challenge: most management and control messages are broadcast in nature, while encryption and authentication usually assume point-to- most management and control messages are broadcast in nature, while encryption and authentication usually assume point-to-

point communications.point communications.

177

178


3. Secure 3. Secure data data forwardforwardinging

– Detection of malicious behavior needs to be both quick and accurate.Detection of malicious behavior needs to be both quick and accurate.– It is necessary to consider the tradeoff between localized detection schemes and end-to-end detection schemes.It is necessary to consider the tradeoff between localized detection schemes and end-to-end detection schemes.– When necessary, a hybrid detection scheme is needed.When necessary, a hybrid detection scheme is needed.– In order to expedite the reaction process in mesh backbone, cooperation among mesh routers are preferred.In order to expedite the reaction process in mesh backbone, cooperation among mesh routers are preferred.– In case a malicious node is detected, such information can be shared by different mesh routers in the neighbor.In case a malicious node is detected, such information can be shared by different mesh routers in the neighbor.

178

179


4. Compliance 4. Compliance with with security security standardsstandards

– In existing standard mesh networks no schemes have been proposed for security in mesh backbone.In existing standard mesh networks no schemes have been proposed for security in mesh backbone.

– It is required that the security in mesh backbone be compliant with security schemes for network access. It is required that the security in mesh backbone be compliant with security schemes for network access.

– In IEEE 802.16 mesh mode, many security flaws still exist. In IEEE 802.16 mesh mode, many security flaws still exist.

– These problems must be addressed in our link-layer security scheme, but have to conform with standard guidelines.These problems must be addressed in our link-layer security scheme, but have to conform with standard guidelines.

179

180


5.Secure routing protocol5.Secure routing protocol– Research issues of secure routing are Research issues of secure routing are

twofold:twofold:One is to design a per-sector authentication scheme One is to design a per-sector authentication scheme

for routing messages, i.e., developing a scheme so that for routing messages, i.e., developing a scheme so that authentication is only performed at the first hop, mesh authentication is only performed at the first hop, mesh backbone, and the last hop.backbone, and the last hop.

No per-hop authentication is needed. No per-hop authentication is needed.

The other is to make this per-sector authentication The other is to make this per-sector authentication scheme be part of the routing protocol.scheme be part of the routing protocol.

180

181


6. Inter-system authentication6. Inter-system authentication– When multiple mesh backbones from When multiple mesh backbones from

different service providers co-exist, inter-different service providers co-exist, inter-system authentication is needed.system authentication is needed.

– This research issue is related to mobility This research issue is related to mobility management, and thus, must be studied management, and thus, must be studied together with mobility management together with mobility management schemes.schemes. 181

wireless mesh networks ian f. akyildiz* & xudong wang** * georgia institute of technology bwn...

Documents

security architecture

security mechanism

security hole

multihop security features

wmnssecurity attacks

network securityit

wireless services

network activities of