Professional Documents
Culture Documents
Wireless Security
Yan Zhang
Simula Research Laboratory, Norway
Jun Zheng
City University of New York, USA
Miao Ma
Hong Kong University of Science and Technology, Hong Kong
Volume I
mobile devices, but also for sharing of resources content sharing, communication, and gam-
between devices. There are four elements found ing.
in the service-oriented approach: (1) service de-
scription, which provides an interchangeable way Due to these trends, richer models of discovery
for devices to describe the service and its use; (2) are being considered such as federated discovery,
service registration or advertisement on behalf of meta discovery, and semantic discovery (Buford,
the service provider; (3) service discovery by de- Brown, & Kolberg, 2006; Buford, Celebi, &
vices seeking a service; and (4) service invocation, Frankl, 2006).
which is a protocol by which a service requester Consequently, it is important for wireless de-
and service provider coordinate to deliver a service. vices to securely participate in service discovery
Propagation of service advertisements can be using with other devices that are outside the immediate
pull (query), push (announcement), or a combina- administrative security domain. Further, these
tion of pull and push. In addition, the ability to devices interact with other devices in an ad hoc
dynamically discover and combine component
services to form new services is referred to as leads to the dependency on other devices for re-
service composition. sources. The nature of devices, communication
Broadband wireless technologies such as patterns, and dependency on other devices in turn
WiMax, UWB, and 802.11n are bringing broad- causes security vulnerabilities. Due to the ad hoc
band connectivity to mobile CE devices. These connectivity and dynamic nature of the population
devices will be able to switch between different -
network access technologies. This has the following mittent and short-lived. Moreover, multiple devices
consequences for service discovery in pervasive
computing:
responsive service discovery model.
• Due to broadband connectivity, devices Thus far, we have discussed the general view
will be able to participate in media-rich and of and motivation for service discovery for mobile
sophisticated resource sharing. devices. The rest of the chapter is organized as
• Wide-area service discovery and location- follows: The next section summarizes the security
based discovery will grow in importance due goals for service discovery and presents a model
to the combination of increased connectivity for service discovery in pervasive computing. The
and wide-area roaming. third section surveys present unsecured service
• The ability to act as multi-homed devices discovery models. The fourth section surveys ex-
means that devices will have increased isting secure service discovery models, organized
connectivity but also an increased rate of into three different categories. Two case studies
transitions due to roaming between different of service discovery protocols that incorporate
networks. trust-based mechanisms are described in the
• Devices will be able to simultaneously par-
ticipate in a personal area network (PAN), sections summarize important research issues and
home networks, and wireless area networks conclusions.
(WANs) with different security and trust
properties. In PANs and home networks,
mediation of service discovery between
networks is needed, in which devices such
as gateways proxy or intermediate service -
discovery between network domains. covery is well established (Matsumiya et al., 2004;
• Device-to-device interaction will grow in Stajano, 2002; Stajano & Anderson, 2002). Privacy,
importance to users for applications such as security, and trust issues in service discovery in the
Secure Service Discovery
pervasive computing area are of utmost importance crossing administrative boundaries, or without
(Robinson et al., 2005). Thus, the service discovery infrastructure support, other mechanisms are
process demands models that ensure the privacy needed.
and security of the user. In particular, this privacy Further, traditional security mechanisms do
and security should encompass: not work well in this environment because the
devices are computationally limited and the no-
• Authentication: Does the user and device tion of physical security is not applicable (Kagal,
actuallyhavetheindicatedidentity? Finin, & Joshi, 2001). Then, considering the choices
• Authorization: Does the user have access of totally sacrificing security versus imposing a
rights for issuing service advertisements, full-edged
fl securitystructuresimilartodeskt
requestingservices,andinvoking andservices?
laptops, the question is whether there is any
• Trust: Are the participating user and device middle ground. Ensuring varying levels of security
trusted?Aretheserviceanditsfor components
various services is a research challenge. The
trusted? insufficiency of user/device identity for trust is
• Privacy: Is only the approved information another concern in designing a discovery model,
shared between the given users/devices dur- and techniques for peer trust and risk assessment
ing service discovery, advertisement and (Chen, Jensen, Gray, Cahill, & Seigneur, 2003)
invocationSDAI) ( operations?Isdisclosure are important tools to address this.
tounauthorizedusersprevented?Desired characteristics of a secure and private
• Vulnerability to attack and misuse: Are service discovery model are summarized next.
the SDAI operations protected from attacks
such as denial-of-service, spoofing, replay, • Adaptive: The trust value and security level
andman-in-the-middle?AretheSDAI-opera should be adaptable depending on the service
tions protected from misuse in enabling such itself, the service provider, and the service
attacksonothernetworkcomponents? requester.
• Trust reliant: The model should consider
An important question is what security, privacy, trust relationships among devices. Where
and trust mechanisms are provided by the wireless no prior information is available, reputa-
network. IEEE 802.11i, also known as WiFi Pro- tion, recommendation, or trust negotiation
tected Access 2 (WPA2), replaced Wired Equiva- schemes can be used. If these are unsuitable,
lent Privacy (WEP) with stronger encryption and then risk assessment can be used.
a new authentication mechanism incorporating an • Infrastructure independence: No infra-
authentication server such as remote authentication structure support (e.g., powerful servers,
dial in user service (RADIUS). This mechanism proxies) should be required. Then the model
while suitable for enterprise deployment has had should work independently without any
limited use in home networks because of complex external support, but be able to leverage
administration and in public hot spots due to dif- infrastructure where it exists.
ficultyadministeringsharedkeys.Thus,•inthe best
Lightweight: The model should be light-
case, a set of devices are authenticated in a single weightintermsofexecutablefilesize.
administrative domain, and the authentication • Service oriented: To control service security
server can be used to support authorization poli- modularly, service discovery models should
cies including policies related to service discovery be service oriented.
and use. Network packets between authenticated • Graceful performance degradation: The
users are encrypted, providing communication model should not put much overhead on the
privacy from non-authenticated parties. However, performance of the device, and performance
these security capabilities cover only a subset of should degrade gracefully for more advanced
the aforementioned security goals and are limited security features.
to single administrative domains. For interactions
Secure Service Discovery
• Energy efficient: Service discovery models of local services. After receiving a broadcast, each
should be energy conserving, for example, node updates its service list with information about
avoiding continuous broadcasting or polling. the other nodes’ services. This service information
is included in that node’s subsequent broadcast.
Aclassificationanddetailedsurvey Eachofservice
node is a broadcaster and DEAPSpace uses
discovery models can be found in Zhu, Mutka, and contention timers at each node so that a node will
Ni (2002). Service-oriented architectures (SOA) randomly delay its broadcast after another broad-
and their security are discussed in Cotroneo, cast is received. DEAPSpace can reduce service
Graziano, and Russo (2004). We classify existing discovery time at the cost of increased bandwidth
service discovery models into two broad categories. and power consumption.
First are service discovery models that do not ad- INS (Winoto et al., 1999) supports both pull
dress security issues (Balazinska, Balakrishnan, and push delivery of service advertisements. It also
& Karger, 2002; Microsoft, 2000; Miller, Nixon, supports unicast, anycast, and broadcast methods.
Tai, & Wood, 2001; Nidd, 2001; Winoto, Schwartz, It offers the best-match resource information and
Balakrishnan, & Lilley, 1999). Second, there also provides facilities for limited support of
are models that consider a full-edged fl security
context information. In INS each device requests
mechanism with the help of infrastructure sup- a central name resolver for the type of services
port (Czerwinski, Zhao, Hodes, Joseph, & Katz, it requires, and the resolver replies with the best
1999; Zhu, Mutka, & Ni, 2003, 2004). The next matched device address.
two sections discuss examples of these cases, and
Table 1 compares the key features of the surveyed secure service discovery Models
systems.
Most contemporary service discovery models
fall into this category. There are some models
sErvIcE dIscovEry ModEls that include full-edged fl security mechanisms,
wItHout InHErEnt sEcurIty while others rely on simple algorithms for limited
security. This category can be subdivided into
We describe several designs that do not address infrastructure based, infrastructureless, hardware
security requirements. Nevertheless these mod- based, and smart-space-oriented security mecha-
els are important either because the systems are nisms. In the following subsections we discuss
widely used, are representative approaches, or each of these categories.
could be secured by additional mechanisms in
a secure network. The designs we discuss are Infrastructure-based security
Bluetooth, DEAPSpace, and Intentional Naming
System (INS). UPnP is a specification for connecting multiple
Bluetooth (Bluetooth Special Interest Group devices on a home network so that these devices
[SIG], 2001a, 2001b) is a pull protocol. Device caninvokeservicesofeachother.UPnPdefinesa
information, services, and the characteristics of set of protocols and a service description format.
the services are queried and connections between In addition, UPnP standardizes various service
two or more Bluetooth devices are established. interfaces. UPnP relies on administratively scoped
This facilitates user selection, scope-awareness, multicast IP address for service discovery, service
and both unicast and broadcast communication. advertisement, and event delivery. Each UPnP
A Bluetooth device returns all matched resource devicebroadcastsitsadvertisementswhenit
information. connects to the network. Thereafter, a UPnP device
Nidd (2001) developed the DEAPSpace service broadcasts advertisements in response to queries
discovery method for ad hoc and mobile device ap- from other devices. These queries may be for all
plications. Each node broadcasts its advertisement services on the network or a specific service on
Secure Service Discovery
TableComparison
1. ofsecureservicediscoverymodels(SSDS)SSDS : (Czerwinskietal.Ninja
19),
(Goldberg,Gribble,Wagner,Brewer, & Gribble
19; etal.UPnP
201), (Milleretal.SPDP 201),
(AlmenarezCampo, & Progressive
203), Exposure(Zhuetal.Zhu, 204; , Mutka,Ni,
& Splendor
206),
(Kagal, Korolev, Chen, Joshi, & Finin, 2001), Jini (Sun Microsystems, 2001), CSAS (Minami & Kotz,
CSM
205), (BrezillonMostefaoui,
& AVCM
204), (ShankarArbaugh,
& CSRA 20), (Tripathi,Ahmed,
Kulkarni,Kumar,&Kashiramka,204),TRAC(Basu&Callaghan,205),SME(Kopp,Lucke,&Ta -
vangarian,HCA 205), (Pearson,SSRD205), (Sharmin,Ahmed,Ahamed,
& 206a)SSRD+
, (Sharmin,
Ahmed, & Ahamed, 206b), Centaurus2 (Undercoffer, Perich, Cedilnik, Kagal, & Joshi, 203), SLP
(Barbeau,19;Guttman,Perkins,Veizades,&Day,19),Sleeper(Buford,Celebi,etal.,206)
Infrastructure smart
service- trust Privacy context
Model Adaptive support lightweight space
oriented Aware Aware Aware
needed needed
SSDS No Yes No No N/A N/A N/A No
Ninja No Yes No No N/A N/A N/A No
UPnP No N/A No No No Yes No Limited
SPDP No No Yes No Yes N/A No No
Progressive
No Yes No No No Yes Limited No
Exposure
Splendor No Yes No No Yes Yes N/A No
Jini No N/A No No N/A Yes N/A Limited
CSAS No No Yes No N/A N/A Yes No
CSM Yes No Yes No N/A N/A Yes No
AVCM Limited No Yes No Yes Yes Yes No
CSRA No Yes No No N/A N/A Yes Yes
TRAC No N/A No No Yes Yes N/A Yes
SME Yes N/A N/A Yes N/A Yes No N/A
HCA No N/A Yes No No Yes No N/A
SSRD Yes No Yes Yes Yes Yes Limited No
SSRD+ Yes No Yes Yes Yes Limited Yes No
Centaurus Yes Yes No No No N/A Yes No
SLP No Yes Yes Yes No No No No
Sleeper Yes No Yes Yes Yes Yes No No
Secure Service Discovery
2. The communication manager mediates com- access or denial respectively. This approach fa-
munication between clients and networked cilitatesconfidentiality,integrity,andscalab
services. To authorize access, CSAS uses previously stored
3. Group membership(s) is maintained and information,whichmaybedifficulttocollectfor
stored by the capability manager. users in an ad hoc network.
.4 Eachclientisregisteredtoaspecificservice Splendor (Zhu et al., 2003) is a secure, private,
manager that ensures security, access rights, and location-aware service discovery protocol.
and mediates between user client and service Splendor adapts depending on the network en-
client. Service managers maintain a service vironment to use either a client-service model or
registry. client-service-directory model. Proxies are used to
offloadworkloadformobileservices.-Mobileser
Each domain has a root service manager. Static vices authenticate with proxies and proxies handle
bridgesareconfiguredbetweenservice managers
registration. In these situations, proxies are consid-
in different domains. Then clients in separate do- ered to be trusted servers. However, if no trusted
mains can access services across domains using server is available in an environment, then there
the root service manager as the context. is no agent to handle the registration. Its security
In SSDS (Czerwinski et al., 1999), both service model is based on mutual authentication.
advertisement pull (query) and push (announce- Progressive Exposure (Zhu et al., 2004, 2006)
ment) are supported. Service advertisements are is a secure service discovery approach. It ad-
stored in a hierarchy of servers. SSDS provides dresses privacy issues using a mutual matching
capability-based access control. All information technique. Progressive exposure addresses security
passed between clients and servers is encrypted. and fairness by not exposing too much informa-
A single copy of the resource information is stored tion. In each round of message exchange between
and accessed, which makes the system vulner- communicating parties, it tries to find whether
able to single point failure. Subsequently, the any mismatch occurs. In case of a mismatch, the
Ninja project (Goldberg et al., 1999; Gribble et al., communication stops. It uses one-time code words
) 1added
02 the concept of secure identification and a hash-based message authentication code. It
of service through SSDS. In Ninja, the CA issues considers the presence of one user and one service
valid certificates and the capability - manager
provider, au not address situations in which
but it does
thorizes user access to a particular resource. The many users and many service providers are present.
service providers can also prescribe the conditions When a service provider leaves the network, the
(capabilities) that are needed by a user in order to process of provider lookup and the authentication
discover a particular service. phase is restarted. It provides privacy for service
The context-sensitive authorization scheme information, requests, domain identity, and user
(CSAS) (Minami & Kotz, 2005) provides authoriza- credentials, and is based on the client-service-
tion without a central server or CA. When a CSAS directory model.
user wants to access a service from a resource,
the associated server issues a logical authentica- Infrastructure-less security
tion query and sends it to the host of the resource.
Each host has a knowledge domain with which it SPDP (Almenarez & Campo, 2003) is a secure
attempts to prove the authorization query. If it fails, service discovery protocol based on the PTM
it distributes several portions of the proof to multiple (Almenarez, Marin, Campo, & Garcia, 2004; Al-
hosts. Through this distribution CSAS reduces the menarez, Marin, Dyaz, & Sanchez, 2006) model.
computational overhead on any single node. After The need for a centralized server is avoided by
collecting the sub-proofs from the other hosts, the having each device act as its own CA. For a service
host of the resource can declare the result of the request, this model uses broadcast messaging. The
query to be true or false, thus indicating grant of requesting device updates its cache after getting a
Secure Service Discovery
reply from the devices (if any reply). It then stores language (WSDL) and resource description frame-
the device identities that it believes trustworthy. work (RDF) conditions for security, and policies for
The devices’ user agents continually listen for thebindingprotocol.Thebindingprotocolspecifies
messages, which in turn means continual energy whether the binding of a resource is “shared” or
consumption. “private,” and whether the binding is “permanent”
Narendar Sarkar et al. (Shankar & Arbaugh, or “context-based.”
2002) propose an attribute vector calculus (AVCM) Basu and Callaghan (2005) present a TRAC
for modeling trust. Their model describes both for increasing security and user confidence in
identity-based trust and context-based trust and is pervasive computing systems. They use trust and
oneofthefirstmodelsthatdiscussesthe importance
role-based access control for ensuring security and
of trust in a ubiquitous environment. Brezillion privacy. However their model is aimed at an intel-
and Mostefaoui (2004) present a context-based ligent environment (IE) only. This policy-based
security model (CSM) and they discuss the need for modelallowsuserstodefinepoliciesforthemselve
adaptive security based on the particular situation. and thus gives users control to define their own
Thomas and Sandhu (2004) present the challenges security level. This model works in an IE because
and research issues for secure pervasive computing. every user is known beforehand. However, in a
They express the need for a dynamic trust model truly pervasive environment it is not possible to
as the pervasive computing environment poses have prior information about every user and thus,
new kinds of security challenges due to its diverse this model is not applicable.
nature. They present a socio-technical view.
A smart space provides devices with complex com- We next describe two service discovery protocols,
putational support that supports context-awareness Sleeper and SSRD, which incorporate trust models
and collaboration. Components of the smart space for infrastructure-less security.
canoffloadsecurediscoverytasksandrelatethem
to other activities in the space. Examples include sleeper
context-based secure resource access (CSRA)
(Tripathi et al., 2004) and trust-based architecture Sleeper (Buford, Celebi, et al., 2006) is an en-
(TRAC) (Basu & Callaghan, 2005). ergy-preserving service discovery protocol which
CSRA (Tripathi et al., 2004) focuses on context- features dynamic proxy selection for advertise-
aware discovery of resources and how to access ment and discovery so that nodes can go to power
resources in a secure and unobtrusive manner. In standby while the proxy advertises on their behalf.
a pervasive computing environment the rules and The basic node states and transitions for Sleeper
limitations imposed by the user, system, and the are shown in Figure 2. An off-line or disconnected
collaborative activity scenario have to be combined node moves to an online state and broadcasts a
dynamically at runtime. CSRA uses a namespace join message that includes its advertisements and
related to each user and domain. These namespaces their popularity metrics. The current proxy caches
collect resources, services, and activities. The these advertisements. Any proxy-candidate node
bindingprotocoldefinestheassociation may alsoofa user
cache these advertisements. An online
to a specific resource in the space. Thenode binding
may broadcast a leave message prior to go-
changes based on the contextual information of ing off-line; if a leave message is not transmitted,
the user including the location, activity, and role. advertisements may be purged from the proxy and
A descriptor is associated with each namespace other online nodes’ cache by expiration. Transi-
that combines functional attributes collected from tions to/from standby state may also be indicated
resource descriptions in Web services description by broadcast messages.
Secure Service Discovery
An online node can be in one of four states et al., 2001). In this design, access control policies
(Figure 2). Every node initially goes online as a determine which credentials, services, and policies
non-proxy node. A proxy-capable node becomes should be disclosed during a negotiation. Policies
a proxy-candidate. There may be more than one and credentials are secured locally at each node
proxy-candidate at any time. When no proxy is but are disclosed during negotiation to the remote
detected, for example by absence of a service ad- party. Sleeper nodes establish mutual trust using
vertisement broadcast or at the exit of a proxy, the thetrustnegotiationmechanismdefinedinBufor
firstproxy-candidatetoissuetheproxy bootstrap
Park, and Perkins (2006). Assuming that each peer
becomes the proxy. A vacating proxy may transfer caches public keys for certificate issuers that a
its cache to the new proxy, or the new proxy may relevant to its peer trust policies, then peer trust
collect advertisements from online nodes through establishment can be performed without a central-
the bootstrap. Nodes which are in standby state ized authority. A service discovery mechanism
during the proxy change may be polled by the is privacy preserving, if a peer can discover the
new proxy after the standby node transitions to service description using the mechanism only if the
online. peersatisfiesthecriteriaC.Thusamechanismtha
Sleeper uses property-based peer trust to secure only distributes service descriptions to peers which
service discovery operations. In property-based or are members of group G with criteria C is privacy
credential-based trust (Hess et al., 2002; Seamons, preserving. Sleeper uses trust negotiation to create
Winslett, & Yu, 2001), each party has a set of certi- groups of peers that satisfy membership criteria C.
fiedattributese. ( g.credit
, cardnumbers, employee
Group management is provided by a group service
ID) that are exchanged to establish mutual trust. (GS) that is available at every peer. The GS caches
The typical components of a mechanism to provide private service descriptions for each group and
property-based trust include: allows only group members to retrieve them. The
GS publishes encrypted service descriptions that
• Trust negotiation protocol can only be decrypted by members of G. These
• Trust negotiation policies encrypted service descriptions are broadcasted to
• Credentials all connected peers, but can only be decrypted by
group members.
Amethodfortrustnegotiationhasbeen Thedefined
secure agent technology (Buford, Park, et
for client-server context (Hess et al., 2002; Seamons al., 2006) used in Sleeper for trust negotiation can
also be used for enabling trust in service composi-
tion (Buford, Kumar, & Perkins, 2006).
FigureSleeper
2. nodestatesandstatetransitions;
online nodes can be in one of four states (Buford ssrd
etal.,206)
With a view to ensure enhanced security through
a lightweight solution for resource discovery in
pervasive environment, simple and secure re-
source discovery (SSRD) has been proposed by
the researchers in Sharmin et al. (2006a). The
fundamental part of the solution is a trust–based,
service-oriented adaptive security mechanism built
on middleware adaptability for resource discovery,
knowledge usability, and self-healing (MARKS), a
middleware and framework developed for resource
constrained pervasive devices for pervasive appli-
cations (Sharmin et al., 2006b). The SSRD unit of
Secure Service Discovery
Figure 3. Sleeper groups in broadcast of advertise- Figure 4. Resource discovery model (Sharmin et
ments;symmetrickeysarebroadcastwith al.,206a)public
keyencryption(Buford,Celebi,etal.,206)
0
Secure Service Discovery
that is unobtrusive to the user and makes it possible trust formation, evolution, and exploitation. In
to securely provide and discover the services avail- general, trust is formed by experience through
able for the user in a transparent manner. Some earlier interactions, verifiable properties of
of the open issues regarding challenges in secure party, recommendations from trusted entities, and
and private service discovery are highlighted in reputation in a community. The challenges faced
this section. during trust establishment are due to the absence
of a global trust framework, the large number of
Privacy autonomous and anonymous entities, the large
number of domains, and different trust require-
Although contextual information plays a pivotal ments for large number of application contexts.
role in dynamic pervasive environments, it may Recent context-aware trust models focus on
also expose private information. When granting dynamic trust values, which are updated over time
access to a service, a person’s context information and distance and incorporate behavioral models for
like location, time, and activity can be exposed. evolution of trust. Risk analysis maps each action
Further, policies and constraints are themselves to possible outcomes associated with a cost/ben-
subject to privacy protection. Private information efit.Decisionsconsiderthelikelihoodoftheris
management, such as the recursive constraint and cost. Unresolved issues in trust establishment
based security model in Hengartner and Steen- include detecting and prevent collusion, manag-
kiste (2006), is one approach to prevent direct ing the trade-off between privacy and property
information leakage. However, such mechanisms disclosure,andefficienttrustmechanismsinlar
are generally susceptible to attacks involving col- communities.
lusion and inference.
In a context- and location-sensitive medical Multi-Protocol Environments
application, researchers developed a system for
practitioners to easily share context in their work The combination of multi-homed mobile devices
tasks. Subsequently, questions of privacy led the and multiple service discovery protocols means that
designers to limit access to this information. As service access may cross not only administrative
another example, the Gaia project has shown a pri- boundaries but also different service discovery
vacy preserving hop by hop routing algorithm that domains with varying security properties. As an
carries information about the location of the user example, a mobile device may include protocol
but does not reveal the exact location or identity support for Bluetooth, SLP, and UPnP. Then the
of the user. Thus the privacy level and willing- device can easily discover services in different
ness of disclosure of personal information varies domains that it roams to, if these domains use dif-
depending on information type, collection method, ferent service discovery protocols. As a multi-home
time, and other factors. In some scenarios users device, it may simultaneously connect to domains
are reluctant to disclose identity information but do with different service discovery protocols.
not care about location information. The situation As a second example, a single user may have a
might be reversed in other cases. Formulation of setofpersonalmobiledevicesconfiguredinaPAN.
policies that are understood and can be managed These devices can use the PAN security mechanism
by users is an important goal. for security and privacy control, and identity-based
authentication for mutual trust. The PAN may sup-
trust portaspecificservicediscoveryprotocol.Oneor
more of the devices in the PAN may also connect to
As discussed earlier, a key element for secure outside networks with different service discovery
service discovery in ad hoc environments is the protocols and security mechanisms.
ability to establish a level of trust betweens peers. These types of scenarios indicate that future
The trust life cycle can be narrated in short as mobile devices may need to operate in multiple
Secure Service Discovery
Figure5.ConceptualdiagramofSSRDmodel(Sharminetal.,206b)
security contexts. In these cases there is the po- services that may be created from different service
tentialforconflictingaccesspolicies - andunantici
sources. Composition trust bindings (Buford, Ku-
patedinformationows fl betweendifferent mar, regions.
et al., 2006) are one approach for providing
Further, there are challenges in managing groups trust in both control and data paths in peer-to-peer
across domains and mapping service semantics service composition.
and identities between different domains.
Secure Service Discovery
Secure Service Discovery
Chen, Y., Jensen, C., Gray, E., Cahill, V., & Sei- Hess, A., Jacobson, J., Mills, H., Wamsley, R.,
gneur, J. (2003). A general risk assessment of Seamons, K., & Smith, B. (2002). Advanced cli-
security in pervasive computing (Tech. Rep. No. ent/server authentication in TLS. In Network and
TCD-CS-2003-45). The University of Dublin, Trin- Distributed System Security Symposium.
ity College, Department of Computer Science.
Joseph, A., Katz, R., Mao, Z., Ross, S., & Zhao, B.
Cotroneo, D., Graziano, A., & Russo, S. (2004). (2001). The Ninja architecture for robust Internet-
Security requirements in service oriented architec- scale systems and services. Computer Networks,
tures for ubiquitous computing. In Proceedings of 5 3 (4), 473-497.
the Second Workshop on Middleware for Pervasive
Kagal, L., Finin, T., & Joshi, A. (2001). Trust-based
and Ad-hoc Computing (pp. 172-177).
security in pervasive computing environments.
Czerwinski, S., Zhao, B., Hodes, T., Joseph, A., & IEEE Computer, 34(12), 154-157.
Katz, R. (1999). An architecture for a secure service
Kagal, L., Finin, T., Joshi, A., & Greenspan, S.
discovery service. In Fifth Annual International
(2006). Security and privacy challenges in open
Conference on Mobile Computing and Networks
and dynamic environments. IEEE Computer,
MobiCom
( ’9)9 (pp. 24-35).
93 (6), 89-91.
Ganu, S., Krishnakumar, A., & Krishnan, P. (2004).
Kagal, L., Korolev, V., Avancha, S., Joshi, A.,
Infrastructure-based location estimation in WLAN
Finin, T., & Yesha, Y. (2001). Highly adaptable
networks. In IEEE Wireless Communications and
infrastructure for service discovery and manage-
Networking Conference (WCNC) (pp. 465-470).
ment in ubiquitous computing (Tech. Rep. No. TR
Garlan, D., Siewiorek, D., Smailagic, A., & Steen- CS-01-06). Baltimore: University of Maryland,
kiste, P. (2002). Project Aura: Towards distrac- Department of Computer Science and Electrical
tion-free pervasive computing. IEEE Pervasive Engineering.
Computing, 1(2), 22-31.
Kagal, L., Korolev, V., Chen, H., Joshi, A., &
Goldberg, I., Gribble, S., Wagner, D., & Brewer, E. Finin, T. (2001). Project Centaurus: A framework
(1999). The Ninja jukebox. In Proceedings of the for intelligent services in a mobile environment. In
Second USENIX Symposium on Internet Technolo- International Workshop of Smart Appliances and
giesandSystems(USITS-)9 (pp. 37-46). Wearable Computing, International Conference of
Distributed Computing Systems (pp. 195-201).
Gribble, S., Welsh, M., Von Behren, R., Brewer,
E., Culler, D., Borisov, N., et al. (1999). Service Kindberg, T., & Fox, A. (2002). System software
location protocol version 2 (RFC 2608). Retrieved for ubiquitous computing. IEEE Pervasive Com-
from http://www.faqs.org/rfcs/rfc2608.html puting, 1(1), 70-81.
He, R., Niu, J., Yuan, M., & Hu, J. (2004). A novel Kopp, H., Lucke, U., & Tavangarian, D. (2005).
cloud-based trust model for pervasive comput- Security architecture for service-based mobile
ing. In The Fourth International Conference on environment. In Proceedings of the Third IEEE
Computer and Information Technology (CIT ’04) Conference on Pervasive Computing and Com-
(pp. 693-700). munications Workshops (pp. 199-203).
Hengartner, U., & Steenkiste, P. (2006). Avoiding Lee, C., & Helal, S. (2002). Protocols for service
privacy violations caused by context-sensitive discovery in dynamic and mobile networks. In-
services. In Proceedings of the Fourth Annual ternational Journal of Computer Research, 11(1),
IEEE International Conference on Pervasive 1-12.
Computer and Communications (PerCom )026
Matsumiya, K., Tamaru, S., Suzuki, G., Nakazawa,
(pp. 222-233).
J., Takashio, K., & Tokuda, H. (2004). Improving
Secure Service Discovery
security for ubiquitous campus applications. In Sharmin, M., Ahmed, S., & Ahamed, S. (2006a).
Symposium on Applications and the Internet- MARKS (middleware adaptability for resource
Workshops (SAINT 2004) (pp. 417-422). discovery, knowledge usability, and self healing)
in pervasive computing environments. In Third
Microsoft Corporation. (2000). Universal plug and
International Conference on Information Technol-
play device architecture, Version 1.0.
ogy: New Generations (pp. 306-313).
Miller, B., Nixon, T., Tai, C., & Wood, M. (2001).
Sharmin, M., Ahmed, S., & Ahamed, S. (2006b). An
Home networking with universal plug and play.
adaptive lightweight trust reliant secure resource
IEEE Communications Magazine,(12), 93 104-
discovery for pervasive computing environments.
109.
In Proceedings of the fourth annual IEEE inter-
Minami, K., & Kotz, D. (2005). Secure context- national conference on pervasive computer and
sensitive authorization. In Proceedings of the Third communications (PerCom)026 (pp. 258-263).
International Conference on Pervasive Computing
Sharmin, M., Ahmed, S., & Ahamed, S. (2006c).
and Communications Workshops (PerCom) 502
SSRD+: A privacy-aware trust and security model
(pp. 257-268).
for resource discovery in pervasive computing
Nidd, M. (2001). Service discovery in DEAPspace. environment. In 30th Annual International Com-
IEEE Personal Communications, 8(4), 39-45. puter Software and Applications Conference
COMPSAC
( )026 (pp. 67-70).
Pearson, S. (2005). How trusted computers can
enhance privacy preserving mobile applications. Smith, B., Seamons, K., & Jones, M. (2004). Re-
In Proceedings of the Sixth International IEEE sponding to policies at runtime in TrustBuilder. In
Symposium on a World of Wireless Mobile and Fifth International Workshop on Policies for Dis-
Multimedia Networks (WoWMoM’0(pp. )5 609- tributed Systems and Networks (POLICY 2004).
613).
Stajano, F. (2002). Security for ubiquitous com-
Robinson, P., Vogt, H., & Wagealla, W. (Eds.). puting. West Sussex, England: John Wiley and
(2005). Privacy, security and trust within the con- Sons.
text of pervasive computing. Heidelberg, Germany:
Stajano, F., & Anderson, R. (2002). The resur-
Springer-Verlag.
recting duckling: Security issues for ubiquitous
Saha, S., Chaudhuri, K., Sanghi, D., & Bhagwat, computing. IEEE Computer, 5 3 (4), 22-26.
P. (2003). Location determination of a mobile de-
Sun Microsystems. (2001). Jini™ technology core
vice using IEEE 802.11b access point signals. In
platformspecification,version.2 1
IEEE Wireless Communications and Networking
Conference (WCNC) (pp. 1987-1992). Thomas, R., & Sandhu, R. (2004). Models, pro-
tocols, and architectures for secure pervasive
Satyanarayanan, M. (1996). Fundamental chal-
computing: challenges and research directions. In
lenges in mobile computing. In Fifteenth ACM
Second IEEE International Conference on Perva-
Symposium on Principles of Distributed Comput-
sive Computing and Communications—Workshops
ing (pp. 1-7).
(PerCom 2004) (pp. 164-168).
Seamons, K., Winslett, M., & Yu, T. (2001). Limit-
Tripathi, A., Ahmed, T., Kulkarni, D., Kumar,
ing the disclosure of access control policies dur-
R., & Kashiramka, K. (2004). Context-based
ing automated trust negotiation. In Network and
secure resource access in pervasive computing
Distributed System Security Symposium.
environments. In Second IEEE Annual Confer-
Shankar, N., & Arbaugh, W. (2002). On trust for ence on Pervasive Computing and Communica-
ubiquitous computing. Workshop on security in tions—Workshops. (p. 159).
ubiquitous computing (UBICOMP 2002).
Secure Service Discovery
Undercoffer, J., Perich, F., Cedilnik, A., Kagal, Zhu, F., Mutka, M., & Ni, L. (2003). Splendor:
L., & Joshi, A. (2003). A secure infrastructure A secure, private, and location-aware service
for service discovery and access in pervasive discovery protocol supporting mobile services.
computing. Mobile Networks and Applications, In Proceedings of the First IEEE Conference on
8(2), 113-125. Pervasive Computing and Communications (Per-
Com 2003) (pp. 235-242).
Want, R., & Pering, T. (2005). System challenges
for ubiquitous and pervasive computing. In Twenty- Zhu, F., Mutka, M., & Ni, L. (2004). PrudentExpo-
seventh International Conference on Software sure: A private and user-centric service discovery
Engineering(ICSE) 502 (pp. 9-14). protocol. In Proceedings of the Second IEEE
Conference on Pervasive Computing and Com-
Weiser,The M.. ) 1 9 1 ( computerforthetwenty-first
munications (PerCom 2004) (pp. 329-340).
century. ScientificAmerican, (3),5 62 94-104.
Zhu, F., Mutka, M., & Ni, L. (2005). Expose or
Weiser, M. (1993). Some computer science prob-
not?Aprogressiveexposureapproachforservice
lems in ubiquitous computing. Communications
discovery in pervasive computing environments.
of the ACM, 63 (7), 75-84.
In Proceedings of the Third IEEE Conference
Winoto, W., Schwartz, E., Balakrishnan, H., & on Pervasive Computing and Communications
Lilley, J. (1999). The design and implementation of (PerCom) 502 (pp. 225-234).
an intentional naming system. In 17th ACM Sym-
Zhu, F., Mutka, M., & Ni, L. (2006). A private, se-
posium on Operating Systems Principles (SOSP
cure, and user-centric information exposure model
’9)9 (pp. 186-201).
for service discovery protocols. IEEE Transactions
Winslett, M. (2003). An introduction to automated on Mobile Computing, 5 (4), 418-429.
trust establishment. First international conference
Zimmermann, P. (1995). PGP source code and
on trust management.
internals. Cambridge, MA: MIT Press.
Wu, C., Fu, L., & Lian, F. (2004). WLAN loca-
tion determination in e-home via support vector
classification. IEEEIn
Conference on Networking,
kEy tErMs
Sensing & Control (pp. 1026-1031).
Context: Context is the location, time, and
Youssef, M., Agrawala, A., & Udaya, A. (2003). activity state of the user when performing a service-
WLAN location determination via clustering and related operation such as discovery, advertisement,
probability distributions. In Proceedings of the or invocation.
First Annual IEEE International Conference on
Federated Discovery: Federated discovery
Pervasive Computer and Communications (Per-
is a service discovery mechanism that incorpo-
Com 2003) (pp. 143-150).
rates two or more different service advertisement
Yu, T., & Winslett, M..)A302 ( unified scheme mechanisms.
for resource protection in automated trust negotia-
Meta Discovery: Meta discovery is the dis-
tion. In IEEE Symposium on Security and Privacy
covery of a service discovery mechanism by using
(pp. 110-122).
meta information about that mechanism (Buford,
Zhu, F., Mutka, M., & Ni, L., (2002). Classifica - Brown et al., 2006).
tion of service discovery in pervasive computing
Peer Trust: Peer trust is the degree to which
environments (Tech. Rep. No. MSU-CSE-02-24).
a peer device is willing to disclose information or
East Lansing: Michigan State University.
provide access to resources to another peer, and
Secure Service Discovery
which may be determined by experience through and security policies of the devices participating
earlier interactions, verifiable properties of eachprocess.
in the service location
party, recommendations from trusted entities, and
Service Composition: Service composition is
reputation in a community.
the ability to dynamically discover and combine
Pervasive Computing: Pervasive computing component services to form new services.
is the evolution of distributed computing in which
Service Discovery: Service discovery occurs
networked computing devices are integrated
when device resources and functions are packaged
throughout the personal and work environments
as services, in a networked environment, and a
in a connected way, also referred to as ubiquitous
devicefindsanotherdevicecapableofofferinga
computing.
specificserviceorresource.
Secure Service Discovery: Secure service
discovery is service discovery that enforces privacy
Chapter III
Security of Mobile Code
Zbigniew Kotulski
Polish Academy of Sciences, Warsaw, Poland
Warsaw University of Technology, Poland
Aneta Zwierko
Warsaw University of Technology, Poland
AbstrAct
The recent development in the mobile technology (mobile phones, middleware, wireless networks, etc.)
created a need for new methods of protecting the code transmitted through the network. The oldest
and the simplest mechanisms concentrate more on integrity of the code itself and on the detection of
unauthorized manipulation. The newer solutions not only secure the compiled program, but also the
data, that can be gathered during its “journey,” and even the execution state. Some other approaches
are based on prevention rather than detection. In this chapter we present a new idea of securing mobile
agents. The proposed method protects all components of an agent: the code, the data, and the execution
state. The proposal is based on a zero-knowledge proof system and a secure secret sharing scheme, two
powerful cryptographic primitives. Next, the chapter includes security analysis of the new method and
its comparison to other currently more widespread solutions. Finally, we propose a new direction of
securing mobile agents by straightening the methods of protecting integrity of the mobile code with risk
analysis and a reputation system that helps avoiding a high-risk behavior.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security of Mobile Code
The mobile agent systems offer new possibili- • Weakly mobile: Only the code is migrating;
ties for the e-commerce applications: creating new no execution state is sent along with an agent
types of electronic ventures from e-shops and e- program
auctions to virtual enterprises and e-marketplaces. • Strong mobile: A running program is mov-
Utilizing the agent system helps to automate many ing to another execution location (along with
e-commerce tasks. Beyond simple information its particular state)
gathering tasks, mobile agents can take over all
tasks of commercial transactions, namely, price The protection of the integrity of the mobile
negotiation, contract signing, and delivery of agent is the most crucial requirement for the agent
(electronic) goods and services. Such systems are system. The agent’s code and internal data autono-
developed for diverse business areas, for example, mously migrate between hosts and can be easily
contract negotiations, service brokering, stock changed during the transmission or at a malicious
trading, and many others (Corradi, Cremonini, host site. A malicious platform may make subtle
Montanari, & Stefanelli, 1999; Jansen & Karygi- changesintheexecutionow fl oftheagent’scode;
annis, 1999; Kulesza & Kotulski, 2003). Mobile thus, the changes in the computed results are dif-
agents can also be utilized in code-on-demand ficulttodetect.Theagentcannotitselfpreventt
applications (Wang, Guan, & Chan, 2002). Mobile but different countermeasures can be utilized in
agent systems have advantages even over grid order to detect any manipulation made by an un-
computing environments: authorized party. They can be integrated directly
into the agent system, or only into the design of an
• Require less network bandwidth agent to extend the capabilities of the underlying
• Increase asynchrony among clients and serv- agent system. However, the balance between the
ers security level and solution implementation’s cost,
• Dynamically update server interfaces as well as performance impact, has to be preserved.
• Introduce concurrency Sometimes, some restrictions of agent’s mobility
may be necessary.
The benefits from utilizing the mobileAccountability agents is also essential for the proper
in various business areas are great. However, this functioning of the agent system and establishing
technology brings some serious security risks; trust between the parties. Even an authenticated
one of the most important is the possibility of agent is still able to exhibit malicious behavior to the
tampering with an agent. In mobile agent systems platform if such a behavior cannot later be detected
the agent’s code and internal data autonomously and proved. Accountability is usually realized by
migrate between hosts and can be easily changed maintaining an audit log of security-relevant events.
during the transmission or at a malicious host site. Those logs must be protected from unauthorized
The agent cannot itself prevent this, but different accessandmodification.Alsothenon-repudiability
countermeasures can be utilized in order to detect of logs is a huge concern. An important factor of
any manipulation made by an unauthorized party. accountability is authentication. Agents must be
They can be integrated directly into the agent sys- able to authenticate to platforms and other agents
tem, or only into the design of an agent to extend and vice versa. An agent may require different
the capabilities of the underlying agent system. degrees of authentication depending on the level
Several degrees of agent’s mobility exist, cor- of sensitivity of the data.
responding to possibilities of relocating code and The accountability requirement needs also to
state information, including the values of instance be balanced with an agent’s need for privacy. The
variables, the program counter, execution stack, platform may be able to keep the agent’s identity
and so forth. The mobile agent technologies can secret from other agents and still maintain a form
be divided in to two groups: of revocable anonymity where it can determine
the agent’s identity if necessary and legal. The
Security of Mobile Code
security policies of agent platforms and their audit- method to provide such an environment is special
ing requirements must be carefully balanced with tamper-resistant hardware, but the cost of such a
agent’s privacy requirements. solution is usually very high.
Threats to security generally fall into three main The second group of methods provides the
classes: (1) disclosure of information, (2) denial of agents’ manager with tools to detect that the agent’s
service, and (3) corruption of information (Jansen, dataorcodehasbeenmodified,oranagentwitha
1999). Threats in agent system can be categorized mechanism that prevents a successful, unauthor-
with regard to agents and platform relations (e.g., ized manipulation. In this chapter we concentrate
agent attacking an agent, etc.). Another taxonomy on the “built-in” solutions because they enable
of attacks in agent system was proposed in Man an agent to stay mobile in the strong sense and,
and Wei (2001). The article describes two main moreover, provide the agent with mechanisms to
categories of attacks: purposeful and frivolous. detect or prevent tampering. Detection means that
The first kind is carefully planned and thedesigned
technique is aimed at discovering unauthorized
andcanbefurtherclassifiedbythenature ofattackofthecodeorthestateinformation
modification
(read or non-read) and number of attackers (solo or Prevention means that the technique is aimed at
collaborative). During the second kind of attacks, preventing changes of the code and the state infor-
the attacker may not know the effect of his/her mation in any way. To be effective, detection tech-
actions or gain an advantage. These attacks can niques are more likely than prevention techniques
be random or total. Another category of attacks is to depend on legal or other social framework. The
connected with traffic analysis (Kulesza, - Kotulbetween detection and prevention can
distinction
ski, & Kulesza, 2006) or called blocking attacks be sometimes arbitrary, since prevention often
(when a malicious platform refuses to migrate the involves detection (Jansen, 2000).
agent), as described by Shao and Zhou (2006). In
this chapter we will focus on the threats from an
agent’s perspective. bAckground
Among the mentioned threats, the most impor-
tant are connected with the agent platform since Many authors proposed methods for protecting
themostdifficulttoensureistheagent’s code/
integrity state
of the mobile code. The most interesting
integrity. There are two main concepts for protect- of them are presented in this section.
ing mobile agent’s integrity:
time limited black-box security and
• Providing trusted environment for agent’s obfuscated code
execution
• Detection or prevention of tampering These methods are based on a black-box approach.
The main idea of the black-box is to generate ex-
Thefirstgroupofmethodsismoreconcentrated ecutable code from a given agent’s specification
on the whole agent system than on an agent in that cannot be attacked by read (disclosure) or
particular. These seem to be easier to design and modificationattacks.Anagentisconsideredtobe
implement but, as presented in Oppliger (2000), black-box if at any time the agent code cannot be
mostly lead to some problems. The assumption that attacked in the previous sense, and if only its input
an agent works only with a group of trusted hosts and output can be observed by the attacker. Since
makes the agent less mobile than it was previously it is not possible to implement it today, the relax-
assumed. Also an agent may need different levels ation of this notion was introduced Hohl (1998): it
of trust (some information should be revealed to is not assumed that the black-box protection holds
host while in another situation it should be kept forever, but only for a certain known time. Accord-
secret). Sometimes, it is not clear in advance that ingtothisdefinition,anagenthasthetime-limite
the current host can be considered as trusted. A black-box property if for a certain known time it
0
Security of Mobile Code
Secure Service Discovery
mobile devices, but also for sharing of resources content sharing, communication, and gam-
between devices. There are four elements found ing.
in the service-oriented approach: (1) service de-
scription, which provides an interchangeable way Due to these trends, richer models of discovery
for devices to describe the service and its use; (2) are being considered such as federated discovery,
service registration or advertisement on behalf of meta discovery, and semantic discovery (Buford,
the service provider; (3) service discovery by de- Brown, & Kolberg, 2006; Buford, Celebi, &
vices seeking a service; and (4) service invocation, Frankl, 2006).
which is a protocol by which a service requester Consequently, it is important for wireless de-
and service provider coordinate to deliver a service. vices to securely participate in service discovery
Propagation of service advertisements can be using with other devices that are outside the immediate
pull (query), push (announcement), or a combina- administrative security domain. Further, these
tion of pull and push. In addition, the ability to devices interact with other devices in an ad hoc
dynamically discover and combine component
services to form new services is referred to as leads to the dependency on other devices for re-
service composition. sources. The nature of devices, communication
Broadband wireless technologies such as patterns, and dependency on other devices in turn
WiMax, UWB, and 802.11n are bringing broad- causes security vulnerabilities. Due to the ad hoc
band connectivity to mobile CE devices. These connectivity and dynamic nature of the population
devices will be able to switch between different -
network access technologies. This has the following mittent and short-lived. Moreover, multiple devices
consequences for service discovery in pervasive
computing:
responsive service discovery model.
• Due to broadband connectivity, devices Thus far, we have discussed the general view
will be able to participate in media-rich and of and motivation for service discovery for mobile
sophisticated resource sharing. devices. The rest of the chapter is organized as
• Wide-area service discovery and location- follows: The next section summarizes the security
based discovery will grow in importance due goals for service discovery and presents a model
to the combination of increased connectivity for service discovery in pervasive computing. The
and wide-area roaming. third section surveys present unsecured service
• The ability to act as multi-homed devices discovery models. The fourth section surveys ex-
means that devices will have increased isting secure service discovery models, organized
connectivity but also an increased rate of into three different categories. Two case studies
transitions due to roaming between different of service discovery protocols that incorporate
networks. trust-based mechanisms are described in the
• Devices will be able to simultaneously par-
ticipate in a personal area network (PAN), sections summarize important research issues and
home networks, and wireless area networks conclusions.
(WANs) with different security and trust
properties. In PANs and home networks,
mediation of service discovery between
networks is needed, in which devices such
as gateways proxy or intermediate service -
discovery between network domains. covery is well established (Matsumiya et al., 2004;
• Device-to-device interaction will grow in Stajano, 2002; Stajano & Anderson, 2002). Privacy,
importance to users for applications such as security, and trust issues in service discovery in the
Secure Service Discovery
pervasive computing area are of utmost importance crossing administrative boundaries, or without
(Robinson et al., 2005). Thus, the service discovery infrastructure support, other mechanisms are
process demands models that ensure the privacy needed.
and security of the user. In particular, this privacy Further, traditional security mechanisms do
and security should encompass: not work well in this environment because the
devices are computationally limited and the no-
• Authentication: Does the user and device tion of physical security is not applicable (Kagal,
actuallyhavetheindicatedidentity? Finin, & Joshi, 2001). Then, considering the choices
• Authorization: Does the user have access of totally sacrificing security versus imposing a
rights for issuing service advertisements, full-edged
fl securitystructuresimilartodeskt
requestingservices,andinvoking andservices?
laptops, the question is whether there is any
• Trust: Are the participating user and device middle ground. Ensuring varying levels of security
trusted?Aretheserviceanditsfor components
various services is a research challenge. The
trusted? insufficiency of user/device identity for trust is
• Privacy: Is only the approved information another concern in designing a discovery model,
shared between the given users/devices dur- and techniques for peer trust and risk assessment
ing service discovery, advertisement and (Chen, Jensen, Gray, Cahill, & Seigneur, 2003)
invocationSDAI) ( operations?Isdisclosure are important tools to address this.
tounauthorizedusersprevented?Desired characteristics of a secure and private
• Vulnerability to attack and misuse: Are service discovery model are summarized next.
the SDAI operations protected from attacks
such as denial-of-service, spoofing, replay, • Adaptive: The trust value and security level
andman-in-the-middle?AretheSDAI-opera should be adaptable depending on the service
tions protected from misuse in enabling such itself, the service provider, and the service
attacksonothernetworkcomponents? requester.
• Trust reliant: The model should consider
An important question is what security, privacy, trust relationships among devices. Where
and trust mechanisms are provided by the wireless no prior information is available, reputa-
network. IEEE 802.11i, also known as WiFi Pro- tion, recommendation, or trust negotiation
tected Access 2 (WPA2), replaced Wired Equiva- schemes can be used. If these are unsuitable,
lent Privacy (WEP) with stronger encryption and then risk assessment can be used.
a new authentication mechanism incorporating an • Infrastructure independence: No infra-
authentication server such as remote authentication structure support (e.g., powerful servers,
dial in user service (RADIUS). This mechanism proxies) should be required. Then the model
while suitable for enterprise deployment has had should work independently without any
limited use in home networks because of complex external support, but be able to leverage
administration and in public hot spots due to dif- infrastructure where it exists.
ficultyadministeringsharedkeys.Thus,•inthe best
Lightweight: The model should be light-
case, a set of devices are authenticated in a single weightintermsofexecutablefilesize.
administrative domain, and the authentication • Service oriented: To control service security
server can be used to support authorization poli- modularly, service discovery models should
cies including policies related to service discovery be service oriented.
and use. Network packets between authenticated • Graceful performance degradation: The
users are encrypted, providing communication model should not put much overhead on the
privacy from non-authenticated parties. However, performance of the device, and performance
these security capabilities cover only a subset of should degrade gracefully for more advanced
the aforementioned security goals and are limited security features.
to single administrative domains. For interactions
Secure Service Discovery
• Energy efficient: Service discovery models of local services. After receiving a broadcast, each
should be energy conserving, for example, node updates its service list with information about
avoiding continuous broadcasting or polling. the other nodes’ services. This service information
is included in that node’s subsequent broadcast.
Aclassificationanddetailedsurvey Eachofservice
node is a broadcaster and DEAPSpace uses
discovery models can be found in Zhu, Mutka, and contention timers at each node so that a node will
Ni (2002). Service-oriented architectures (SOA) randomly delay its broadcast after another broad-
and their security are discussed in Cotroneo, cast is received. DEAPSpace can reduce service
Graziano, and Russo (2004). We classify existing discovery time at the cost of increased bandwidth
service discovery models into two broad categories. and power consumption.
First are service discovery models that do not ad- INS (Winoto et al., 1999) supports both pull
dress security issues (Balazinska, Balakrishnan, and push delivery of service advertisements. It also
& Karger, 2002; Microsoft, 2000; Miller, Nixon, supports unicast, anycast, and broadcast methods.
Tai, & Wood, 2001; Nidd, 2001; Winoto, Schwartz, It offers the best-match resource information and
Balakrishnan, & Lilley, 1999). Second, there also provides facilities for limited support of
are models that consider a full-edged fl security
context information. In INS each device requests
mechanism with the help of infrastructure sup- a central name resolver for the type of services
port (Czerwinski, Zhao, Hodes, Joseph, & Katz, it requires, and the resolver replies with the best
1999; Zhu, Mutka, & Ni, 2003, 2004). The next matched device address.
two sections discuss examples of these cases, and
Table 1 compares the key features of the surveyed secure service discovery Models
systems.
Most contemporary service discovery models
fall into this category. There are some models
sErvIcE dIscovEry ModEls that include full-edged fl security mechanisms,
wItHout InHErEnt sEcurIty while others rely on simple algorithms for limited
security. This category can be subdivided into
We describe several designs that do not address infrastructure based, infrastructureless, hardware
security requirements. Nevertheless these mod- based, and smart-space-oriented security mecha-
els are important either because the systems are nisms. In the following subsections we discuss
widely used, are representative approaches, or each of these categories.
could be secured by additional mechanisms in
a secure network. The designs we discuss are Infrastructure-based security
Bluetooth, DEAPSpace, and Intentional Naming
System (INS). UPnP is a specification for connecting multiple
Bluetooth (Bluetooth Special Interest Group devices on a home network so that these devices
[SIG], 2001a, 2001b) is a pull protocol. Device caninvokeservicesofeachother.UPnPdefinesa
information, services, and the characteristics of set of protocols and a service description format.
the services are queried and connections between In addition, UPnP standardizes various service
two or more Bluetooth devices are established. interfaces. UPnP relies on administratively scoped
This facilitates user selection, scope-awareness, multicast IP address for service discovery, service
and both unicast and broadcast communication. advertisement, and event delivery. Each UPnP
A Bluetooth device returns all matched resource devicebroadcastsitsadvertisementswhenit
information. connects to the network. Thereafter, a UPnP device
Nidd (2001) developed the DEAPSpace service broadcasts advertisements in response to queries
discovery method for ad hoc and mobile device ap- from other devices. These queries may be for all
plications. Each node broadcasts its advertisement services on the network or a specific service on
Secure Service Discovery
TableComparison
1. ofsecureservicediscoverymodels(SSDS)SSDS : (Czerwinskietal.Ninja
19),
(Goldberg,Gribble,Wagner,Brewer, & Gribble
19; etal.UPnP
201), (Milleretal.SPDP 201),
(AlmenarezCampo, & Progressive
203), Exposure(Zhuetal.Zhu, 204; , Mutka,Ni,
& Splendor
206),
(Kagal, Korolev, Chen, Joshi, & Finin, 2001), Jini (Sun Microsystems, 2001), CSAS (Minami & Kotz,
CSM
205), (BrezillonMostefaoui,
& AVCM
204), (ShankarArbaugh,
& CSRA 20), (Tripathi,Ahmed,
Kulkarni,Kumar,&Kashiramka,204),TRAC(Basu&Callaghan,205),SME(Kopp,Lucke,&Ta -
vangarian,HCA 205), (Pearson,SSRD205), (Sharmin,Ahmed,Ahamed,
& 206a)SSRD+
, (Sharmin,
Ahmed, & Ahamed, 206b), Centaurus2 (Undercoffer, Perich, Cedilnik, Kagal, & Joshi, 203), SLP
(Barbeau,19;Guttman,Perkins,Veizades,&Day,19),Sleeper(Buford,Celebi,etal.,206)
Infrastructure smart
service- trust Privacy context
Model Adaptive support lightweight space
oriented Aware Aware Aware
needed needed
SSDS No Yes No No N/A N/A N/A No
Ninja No Yes No No N/A N/A N/A No
UPnP No N/A No No No Yes No Limited
SPDP No No Yes No Yes N/A No No
Progressive
No Yes No No No Yes Limited No
Exposure
Splendor No Yes No No Yes Yes N/A No
Jini No N/A No No N/A Yes N/A Limited
CSAS No No Yes No N/A N/A Yes No
CSM Yes No Yes No N/A N/A Yes No
AVCM Limited No Yes No Yes Yes Yes No
CSRA No Yes No No N/A N/A Yes Yes
TRAC No N/A No No Yes Yes N/A Yes
SME Yes N/A N/A Yes N/A Yes No N/A
HCA No N/A Yes No No Yes No N/A
SSRD Yes No Yes Yes Yes Yes Limited No
SSRD+ Yes No Yes Yes Yes Limited Yes No
Centaurus Yes Yes No No No N/A Yes No
SLP No Yes Yes Yes No No No No
Sleeper Yes No Yes Yes Yes Yes No No
Secure Service Discovery
2. The communication manager mediates com- access or denial respectively. This approach fa-
munication between clients and networked cilitatesconfidentiality,integrity,andscalab
services. To authorize access, CSAS uses previously stored
3. Group membership(s) is maintained and information,whichmaybedifficulttocollectfor
stored by the capability manager. users in an ad hoc network.
.4 Eachclientisregisteredtoaspecificservice Splendor (Zhu et al., 2003) is a secure, private,
manager that ensures security, access rights, and location-aware service discovery protocol.
and mediates between user client and service Splendor adapts depending on the network en-
client. Service managers maintain a service vironment to use either a client-service model or
registry. client-service-directory model. Proxies are used to
offloadworkloadformobileservices.-Mobileser
Each domain has a root service manager. Static vices authenticate with proxies and proxies handle
bridgesareconfiguredbetweenservice managers
registration. In these situations, proxies are consid-
in different domains. Then clients in separate do- ered to be trusted servers. However, if no trusted
mains can access services across domains using server is available in an environment, then there
the root service manager as the context. is no agent to handle the registration. Its security
In SSDS (Czerwinski et al., 1999), both service model is based on mutual authentication.
advertisement pull (query) and push (announce- Progressive Exposure (Zhu et al., 2004, 2006)
ment) are supported. Service advertisements are is a secure service discovery approach. It ad-
stored in a hierarchy of servers. SSDS provides dresses privacy issues using a mutual matching
capability-based access control. All information technique. Progressive exposure addresses security
passed between clients and servers is encrypted. and fairness by not exposing too much informa-
A single copy of the resource information is stored tion. In each round of message exchange between
and accessed, which makes the system vulner- communicating parties, it tries to find whether
able to single point failure. Subsequently, the any mismatch occurs. In case of a mismatch, the
Ninja project (Goldberg et al., 1999; Gribble et al., communication stops. It uses one-time code words
) 1added
02 the concept of secure identification and a hash-based message authentication code. It
of service through SSDS. In Ninja, the CA issues considers the presence of one user and one service
valid certificates and the capability - manager
provider, au not address situations in which
but it does
thorizes user access to a particular resource. The many users and many service providers are present.
service providers can also prescribe the conditions When a service provider leaves the network, the
(capabilities) that are needed by a user in order to process of provider lookup and the authentication
discover a particular service. phase is restarted. It provides privacy for service
The context-sensitive authorization scheme information, requests, domain identity, and user
(CSAS) (Minami & Kotz, 2005) provides authoriza- credentials, and is based on the client-service-
tion without a central server or CA. When a CSAS directory model.
user wants to access a service from a resource,
the associated server issues a logical authentica- Infrastructure-less security
tion query and sends it to the host of the resource.
Each host has a knowledge domain with which it SPDP (Almenarez & Campo, 2003) is a secure
attempts to prove the authorization query. If it fails, service discovery protocol based on the PTM
it distributes several portions of the proof to multiple (Almenarez, Marin, Campo, & Garcia, 2004; Al-
hosts. Through this distribution CSAS reduces the menarez, Marin, Dyaz, & Sanchez, 2006) model.
computational overhead on any single node. After The need for a centralized server is avoided by
collecting the sub-proofs from the other hosts, the having each device act as its own CA. For a service
host of the resource can declare the result of the request, this model uses broadcast messaging. The
query to be true or false, thus indicating grant of requesting device updates its cache after getting a
Secure Service Discovery
reply from the devices (if any reply). It then stores language (WSDL) and resource description frame-
the device identities that it believes trustworthy. work (RDF) conditions for security, and policies for
The devices’ user agents continually listen for thebindingprotocol.Thebindingprotocolspecifies
messages, which in turn means continual energy whether the binding of a resource is “shared” or
consumption. “private,” and whether the binding is “permanent”
Narendar Sarkar et al. (Shankar & Arbaugh, or “context-based.”
2002) propose an attribute vector calculus (AVCM) Basu and Callaghan (2005) present a TRAC
for modeling trust. Their model describes both for increasing security and user confidence in
identity-based trust and context-based trust and is pervasive computing systems. They use trust and
oneofthefirstmodelsthatdiscussesthe importance
role-based access control for ensuring security and
of trust in a ubiquitous environment. Brezillion privacy. However their model is aimed at an intel-
and Mostefaoui (2004) present a context-based ligent environment (IE) only. This policy-based
security model (CSM) and they discuss the need for modelallowsuserstodefinepoliciesforthemselve
adaptive security based on the particular situation. and thus gives users control to define their own
Thomas and Sandhu (2004) present the challenges security level. This model works in an IE because
and research issues for secure pervasive computing. every user is known beforehand. However, in a
They express the need for a dynamic trust model truly pervasive environment it is not possible to
as the pervasive computing environment poses have prior information about every user and thus,
new kinds of security challenges due to its diverse this model is not applicable.
nature. They present a socio-technical view.
A smart space provides devices with complex com- We next describe two service discovery protocols,
putational support that supports context-awareness Sleeper and SSRD, which incorporate trust models
and collaboration. Components of the smart space for infrastructure-less security.
canoffloadsecurediscoverytasksandrelatethem
to other activities in the space. Examples include sleeper
context-based secure resource access (CSRA)
(Tripathi et al., 2004) and trust-based architecture Sleeper (Buford, Celebi, et al., 2006) is an en-
(TRAC) (Basu & Callaghan, 2005). ergy-preserving service discovery protocol which
CSRA (Tripathi et al., 2004) focuses on context- features dynamic proxy selection for advertise-
aware discovery of resources and how to access ment and discovery so that nodes can go to power
resources in a secure and unobtrusive manner. In standby while the proxy advertises on their behalf.
a pervasive computing environment the rules and The basic node states and transitions for Sleeper
limitations imposed by the user, system, and the are shown in Figure 2. An off-line or disconnected
collaborative activity scenario have to be combined node moves to an online state and broadcasts a
dynamically at runtime. CSRA uses a namespace join message that includes its advertisements and
related to each user and domain. These namespaces their popularity metrics. The current proxy caches
collect resources, services, and activities. The these advertisements. Any proxy-candidate node
bindingprotocoldefinestheassociation may alsoofa user
cache these advertisements. An online
to a specific resource in the space. Thenode binding
may broadcast a leave message prior to go-
changes based on the contextual information of ing off-line; if a leave message is not transmitted,
the user including the location, activity, and role. advertisements may be purged from the proxy and
A descriptor is associated with each namespace other online nodes’ cache by expiration. Transi-
that combines functional attributes collected from tions to/from standby state may also be indicated
resource descriptions in Web services description by broadcast messages.
Secure Service Discovery
An online node can be in one of four states et al., 2001). In this design, access control policies
(Figure 2). Every node initially goes online as a determine which credentials, services, and policies
non-proxy node. A proxy-capable node becomes should be disclosed during a negotiation. Policies
a proxy-candidate. There may be more than one and credentials are secured locally at each node
proxy-candidate at any time. When no proxy is but are disclosed during negotiation to the remote
detected, for example by absence of a service ad- party. Sleeper nodes establish mutual trust using
vertisement broadcast or at the exit of a proxy, the thetrustnegotiationmechanismdefinedinBufor
firstproxy-candidatetoissuetheproxy bootstrap
Park, and Perkins (2006). Assuming that each peer
becomes the proxy. A vacating proxy may transfer caches public keys for certificate issuers that a
its cache to the new proxy, or the new proxy may relevant to its peer trust policies, then peer trust
collect advertisements from online nodes through establishment can be performed without a central-
the bootstrap. Nodes which are in standby state ized authority. A service discovery mechanism
during the proxy change may be polled by the is privacy preserving, if a peer can discover the
new proxy after the standby node transitions to service description using the mechanism only if the
online. peersatisfiesthecriteriaC.Thusamechanismtha
Sleeper uses property-based peer trust to secure only distributes service descriptions to peers which
service discovery operations. In property-based or are members of group G with criteria C is privacy
credential-based trust (Hess et al., 2002; Seamons, preserving. Sleeper uses trust negotiation to create
Winslett, & Yu, 2001), each party has a set of certi- groups of peers that satisfy membership criteria C.
fiedattributese. ( g.credit
, cardnumbers, employee
Group management is provided by a group service
ID) that are exchanged to establish mutual trust. (GS) that is available at every peer. The GS caches
The typical components of a mechanism to provide private service descriptions for each group and
property-based trust include: allows only group members to retrieve them. The
GS publishes encrypted service descriptions that
• Trust negotiation protocol can only be decrypted by members of G. These
• Trust negotiation policies encrypted service descriptions are broadcasted to
• Credentials all connected peers, but can only be decrypted by
group members.
Amethodfortrustnegotiationhasbeen Thedefined
secure agent technology (Buford, Park, et
for client-server context (Hess et al., 2002; Seamons al., 2006) used in Sleeper for trust negotiation can
also be used for enabling trust in service composi-
tion (Buford, Kumar, & Perkins, 2006).
FigureSleeper
2. nodestatesandstatetransitions;
online nodes can be in one of four states (Buford ssrd
etal.,206)
With a view to ensure enhanced security through
a lightweight solution for resource discovery in
pervasive environment, simple and secure re-
source discovery (SSRD) has been proposed by
the researchers in Sharmin et al. (2006a). The
fundamental part of the solution is a trust–based,
service-oriented adaptive security mechanism built
on middleware adaptability for resource discovery,
knowledge usability, and self-healing (MARKS), a
middleware and framework developed for resource
constrained pervasive devices for pervasive appli-
cations (Sharmin et al., 2006b). The SSRD unit of
Secure Service Discovery
Figure 3. Sleeper groups in broadcast of advertise- Figure 4. Resource discovery model (Sharmin et
ments;symmetrickeysarebroadcastwith al.,206a)public
keyencryption(Buford,Celebi,etal.,206)
0
Secure Service Discovery
that is unobtrusive to the user and makes it possible trust formation, evolution, and exploitation. In
to securely provide and discover the services avail- general, trust is formed by experience through
able for the user in a transparent manner. Some earlier interactions, verifiable properties of
of the open issues regarding challenges in secure party, recommendations from trusted entities, and
and private service discovery are highlighted in reputation in a community. The challenges faced
this section. during trust establishment are due to the absence
of a global trust framework, the large number of
Privacy autonomous and anonymous entities, the large
number of domains, and different trust require-
Although contextual information plays a pivotal ments for large number of application contexts.
role in dynamic pervasive environments, it may Recent context-aware trust models focus on
also expose private information. When granting dynamic trust values, which are updated over time
access to a service, a person’s context information and distance and incorporate behavioral models for
like location, time, and activity can be exposed. evolution of trust. Risk analysis maps each action
Further, policies and constraints are themselves to possible outcomes associated with a cost/ben-
subject to privacy protection. Private information efit.Decisionsconsiderthelikelihoodoftheris
management, such as the recursive constraint and cost. Unresolved issues in trust establishment
based security model in Hengartner and Steen- include detecting and prevent collusion, manag-
kiste (2006), is one approach to prevent direct ing the trade-off between privacy and property
information leakage. However, such mechanisms disclosure,andefficienttrustmechanismsinlar
are generally susceptible to attacks involving col- communities.
lusion and inference.
In a context- and location-sensitive medical Multi-Protocol Environments
application, researchers developed a system for
practitioners to easily share context in their work The combination of multi-homed mobile devices
tasks. Subsequently, questions of privacy led the and multiple service discovery protocols means that
designers to limit access to this information. As service access may cross not only administrative
another example, the Gaia project has shown a pri- boundaries but also different service discovery
vacy preserving hop by hop routing algorithm that domains with varying security properties. As an
carries information about the location of the user example, a mobile device may include protocol
but does not reveal the exact location or identity support for Bluetooth, SLP, and UPnP. Then the
of the user. Thus the privacy level and willing- device can easily discover services in different
ness of disclosure of personal information varies domains that it roams to, if these domains use dif-
depending on information type, collection method, ferent service discovery protocols. As a multi-home
time, and other factors. In some scenarios users device, it may simultaneously connect to domains
are reluctant to disclose identity information but do with different service discovery protocols.
not care about location information. The situation As a second example, a single user may have a
might be reversed in other cases. Formulation of setofpersonalmobiledevicesconfiguredinaPAN.
policies that are understood and can be managed These devices can use the PAN security mechanism
by users is an important goal. for security and privacy control, and identity-based
authentication for mutual trust. The PAN may sup-
trust portaspecificservicediscoveryprotocol.Oneor
more of the devices in the PAN may also connect to
As discussed earlier, a key element for secure outside networks with different service discovery
service discovery in ad hoc environments is the protocols and security mechanisms.
ability to establish a level of trust betweens peers. These types of scenarios indicate that future
The trust life cycle can be narrated in short as mobile devices may need to operate in multiple
Secure Service Discovery
Figure5.ConceptualdiagramofSSRDmodel(Sharminetal.,206b)
security contexts. In these cases there is the po- services that may be created from different service
tentialforconflictingaccesspolicies - andunantici
sources. Composition trust bindings (Buford, Ku-
patedinformationows fl betweendifferent mar, regions.
et al., 2006) are one approach for providing
Further, there are challenges in managing groups trust in both control and data paths in peer-to-peer
across domains and mapping service semantics service composition.
and identities between different domains.
Secure Service Discovery
Secure Service Discovery
Chen, Y., Jensen, C., Gray, E., Cahill, V., & Sei- Hess, A., Jacobson, J., Mills, H., Wamsley, R.,
gneur, J. (2003). A general risk assessment of Seamons, K., & Smith, B. (2002). Advanced cli-
security in pervasive computing (Tech. Rep. No. ent/server authentication in TLS. In Network and
TCD-CS-2003-45). The University of Dublin, Trin- Distributed System Security Symposium.
ity College, Department of Computer Science.
Joseph, A., Katz, R., Mao, Z., Ross, S., & Zhao, B.
Cotroneo, D., Graziano, A., & Russo, S. (2004). (2001). The Ninja architecture for robust Internet-
Security requirements in service oriented architec- scale systems and services. Computer Networks,
tures for ubiquitous computing. In Proceedings of 5 3 (4), 473-497.
the Second Workshop on Middleware for Pervasive
Kagal, L., Finin, T., & Joshi, A. (2001). Trust-based
and Ad-hoc Computing (pp. 172-177).
security in pervasive computing environments.
Czerwinski, S., Zhao, B., Hodes, T., Joseph, A., & IEEE Computer, 34(12), 154-157.
Katz, R. (1999). An architecture for a secure service
Kagal, L., Finin, T., Joshi, A., & Greenspan, S.
discovery service. In Fifth Annual International
(2006). Security and privacy challenges in open
Conference on Mobile Computing and Networks
and dynamic environments. IEEE Computer,
MobiCom
( ’9)9 (pp. 24-35).
93 (6), 89-91.
Ganu, S., Krishnakumar, A., & Krishnan, P. (2004).
Kagal, L., Korolev, V., Avancha, S., Joshi, A.,
Infrastructure-based location estimation in WLAN
Finin, T., & Yesha, Y. (2001). Highly adaptable
networks. In IEEE Wireless Communications and
infrastructure for service discovery and manage-
Networking Conference (WCNC) (pp. 465-470).
ment in ubiquitous computing (Tech. Rep. No. TR
Garlan, D., Siewiorek, D., Smailagic, A., & Steen- CS-01-06). Baltimore: University of Maryland,
kiste, P. (2002). Project Aura: Towards distrac- Department of Computer Science and Electrical
tion-free pervasive computing. IEEE Pervasive Engineering.
Computing, 1(2), 22-31.
Kagal, L., Korolev, V., Chen, H., Joshi, A., &
Goldberg, I., Gribble, S., Wagner, D., & Brewer, E. Finin, T. (2001). Project Centaurus: A framework
(1999). The Ninja jukebox. In Proceedings of the for intelligent services in a mobile environment. In
Second USENIX Symposium on Internet Technolo- International Workshop of Smart Appliances and
giesandSystems(USITS-)9 (pp. 37-46). Wearable Computing, International Conference of
Distributed Computing Systems (pp. 195-201).
Gribble, S., Welsh, M., Von Behren, R., Brewer,
E., Culler, D., Borisov, N., et al. (1999). Service Kindberg, T., & Fox, A. (2002). System software
location protocol version 2 (RFC 2608). Retrieved for ubiquitous computing. IEEE Pervasive Com-
from http://www.faqs.org/rfcs/rfc2608.html puting, 1(1), 70-81.
He, R., Niu, J., Yuan, M., & Hu, J. (2004). A novel Kopp, H., Lucke, U., & Tavangarian, D. (2005).
cloud-based trust model for pervasive comput- Security architecture for service-based mobile
ing. In The Fourth International Conference on environment. In Proceedings of the Third IEEE
Computer and Information Technology (CIT ’04) Conference on Pervasive Computing and Com-
(pp. 693-700). munications Workshops (pp. 199-203).
Hengartner, U., & Steenkiste, P. (2006). Avoiding Lee, C., & Helal, S. (2002). Protocols for service
privacy violations caused by context-sensitive discovery in dynamic and mobile networks. In-
services. In Proceedings of the Fourth Annual ternational Journal of Computer Research, 11(1),
IEEE International Conference on Pervasive 1-12.
Computer and Communications (PerCom )026
Matsumiya, K., Tamaru, S., Suzuki, G., Nakazawa,
(pp. 222-233).
J., Takashio, K., & Tokuda, H. (2004). Improving
Secure Service Discovery
security for ubiquitous campus applications. In Sharmin, M., Ahmed, S., & Ahamed, S. (2006a).
Symposium on Applications and the Internet- MARKS (middleware adaptability for resource
Workshops (SAINT 2004) (pp. 417-422). discovery, knowledge usability, and self healing)
in pervasive computing environments. In Third
Microsoft Corporation. (2000). Universal plug and
International Conference on Information Technol-
play device architecture, Version 1.0.
ogy: New Generations (pp. 306-313).
Miller, B., Nixon, T., Tai, C., & Wood, M. (2001).
Sharmin, M., Ahmed, S., & Ahamed, S. (2006b). An
Home networking with universal plug and play.
adaptive lightweight trust reliant secure resource
IEEE Communications Magazine,(12), 93 104-
discovery for pervasive computing environments.
109.
In Proceedings of the fourth annual IEEE inter-
Minami, K., & Kotz, D. (2005). Secure context- national conference on pervasive computer and
sensitive authorization. In Proceedings of the Third communications (PerCom)026 (pp. 258-263).
International Conference on Pervasive Computing
Sharmin, M., Ahmed, S., & Ahamed, S. (2006c).
and Communications Workshops (PerCom) 502
SSRD+: A privacy-aware trust and security model
(pp. 257-268).
for resource discovery in pervasive computing
Nidd, M. (2001). Service discovery in DEAPspace. environment. In 30th Annual International Com-
IEEE Personal Communications, 8(4), 39-45. puter Software and Applications Conference
COMPSAC
( )026 (pp. 67-70).
Pearson, S. (2005). How trusted computers can
enhance privacy preserving mobile applications. Smith, B., Seamons, K., & Jones, M. (2004). Re-
In Proceedings of the Sixth International IEEE sponding to policies at runtime in TrustBuilder. In
Symposium on a World of Wireless Mobile and Fifth International Workshop on Policies for Dis-
Multimedia Networks (WoWMoM’0(pp. )5 609- tributed Systems and Networks (POLICY 2004).
613).
Stajano, F. (2002). Security for ubiquitous com-
Robinson, P., Vogt, H., & Wagealla, W. (Eds.). puting. West Sussex, England: John Wiley and
(2005). Privacy, security and trust within the con- Sons.
text of pervasive computing. Heidelberg, Germany:
Stajano, F., & Anderson, R. (2002). The resur-
Springer-Verlag.
recting duckling: Security issues for ubiquitous
Saha, S., Chaudhuri, K., Sanghi, D., & Bhagwat, computing. IEEE Computer, 5 3 (4), 22-26.
P. (2003). Location determination of a mobile de-
Sun Microsystems. (2001). Jini™ technology core
vice using IEEE 802.11b access point signals. In
platformspecification,version.2 1
IEEE Wireless Communications and Networking
Conference (WCNC) (pp. 1987-1992). Thomas, R., & Sandhu, R. (2004). Models, pro-
tocols, and architectures for secure pervasive
Satyanarayanan, M. (1996). Fundamental chal-
computing: challenges and research directions. In
lenges in mobile computing. In Fifteenth ACM
Second IEEE International Conference on Perva-
Symposium on Principles of Distributed Comput-
sive Computing and Communications—Workshops
ing (pp. 1-7).
(PerCom 2004) (pp. 164-168).
Seamons, K., Winslett, M., & Yu, T. (2001). Limit-
Tripathi, A., Ahmed, T., Kulkarni, D., Kumar,
ing the disclosure of access control policies dur-
R., & Kashiramka, K. (2004). Context-based
ing automated trust negotiation. In Network and
secure resource access in pervasive computing
Distributed System Security Symposium.
environments. In Second IEEE Annual Confer-
Shankar, N., & Arbaugh, W. (2002). On trust for ence on Pervasive Computing and Communica-
ubiquitous computing. Workshop on security in tions—Workshops. (p. 159).
ubiquitous computing (UBICOMP 2002).
Secure Service Discovery
Undercoffer, J., Perich, F., Cedilnik, A., Kagal, Zhu, F., Mutka, M., & Ni, L. (2003). Splendor:
L., & Joshi, A. (2003). A secure infrastructure A secure, private, and location-aware service
for service discovery and access in pervasive discovery protocol supporting mobile services.
computing. Mobile Networks and Applications, In Proceedings of the First IEEE Conference on
8(2), 113-125. Pervasive Computing and Communications (Per-
Com 2003) (pp. 235-242).
Want, R., & Pering, T. (2005). System challenges
for ubiquitous and pervasive computing. In Twenty- Zhu, F., Mutka, M., & Ni, L. (2004). PrudentExpo-
seventh International Conference on Software sure: A private and user-centric service discovery
Engineering(ICSE) 502 (pp. 9-14). protocol. In Proceedings of the Second IEEE
Conference on Pervasive Computing and Com-
Weiser,The M.. ) 1 9 1 ( computerforthetwenty-first
munications (PerCom 2004) (pp. 329-340).
century. ScientificAmerican, (3),5 62 94-104.
Zhu, F., Mutka, M., & Ni, L. (2005). Expose or
Weiser, M. (1993). Some computer science prob-
not?Aprogressiveexposureapproachforservice
lems in ubiquitous computing. Communications
discovery in pervasive computing environments.
of the ACM, 63 (7), 75-84.
In Proceedings of the Third IEEE Conference
Winoto, W., Schwartz, E., Balakrishnan, H., & on Pervasive Computing and Communications
Lilley, J. (1999). The design and implementation of (PerCom) 502 (pp. 225-234).
an intentional naming system. In 17th ACM Sym-
Zhu, F., Mutka, M., & Ni, L. (2006). A private, se-
posium on Operating Systems Principles (SOSP
cure, and user-centric information exposure model
’9)9 (pp. 186-201).
for service discovery protocols. IEEE Transactions
Winslett, M. (2003). An introduction to automated on Mobile Computing, 5 (4), 418-429.
trust establishment. First international conference
Zimmermann, P. (1995). PGP source code and
on trust management.
internals. Cambridge, MA: MIT Press.
Wu, C., Fu, L., & Lian, F. (2004). WLAN loca-
tion determination in e-home via support vector
classification. IEEEIn
Conference on Networking,
kEy tErMs
Sensing & Control (pp. 1026-1031).
Context: Context is the location, time, and
Youssef, M., Agrawala, A., & Udaya, A. (2003). activity state of the user when performing a service-
WLAN location determination via clustering and related operation such as discovery, advertisement,
probability distributions. In Proceedings of the or invocation.
First Annual IEEE International Conference on
Federated Discovery: Federated discovery
Pervasive Computer and Communications (Per-
is a service discovery mechanism that incorpo-
Com 2003) (pp. 143-150).
rates two or more different service advertisement
Yu, T., & Winslett, M..)A302 ( unified scheme mechanisms.
for resource protection in automated trust negotia-
Meta Discovery: Meta discovery is the dis-
tion. In IEEE Symposium on Security and Privacy
covery of a service discovery mechanism by using
(pp. 110-122).
meta information about that mechanism (Buford,
Zhu, F., Mutka, M., & Ni, L., (2002). Classifica - Brown et al., 2006).
tion of service discovery in pervasive computing
Peer Trust: Peer trust is the degree to which
environments (Tech. Rep. No. MSU-CSE-02-24).
a peer device is willing to disclose information or
East Lansing: Michigan State University.
provide access to resources to another peer, and
Secure Service Discovery
which may be determined by experience through and security policies of the devices participating
earlier interactions, verifiable properties of eachprocess.
in the service location
party, recommendations from trusted entities, and
Service Composition: Service composition is
reputation in a community.
the ability to dynamically discover and combine
Pervasive Computing: Pervasive computing component services to form new services.
is the evolution of distributed computing in which
Service Discovery: Service discovery occurs
networked computing devices are integrated
when device resources and functions are packaged
throughout the personal and work environments
as services, in a networked environment, and a
in a connected way, also referred to as ubiquitous
devicefindsanotherdevicecapableofofferinga
computing.
specificserviceorresource.
Secure Service Discovery: Secure service
discovery is service discovery that enforces privacy
Chapter III
Security of Mobile Code
Zbigniew Kotulski
Polish Academy of Sciences, Warsaw, Poland
Warsaw University of Technology, Poland
Aneta Zwierko
Warsaw University of Technology, Poland
AbstrAct
The recent development in the mobile technology (mobile phones, middleware, wireless networks, etc.)
created a need for new methods of protecting the code transmitted through the network. The oldest
and the simplest mechanisms concentrate more on integrity of the code itself and on the detection of
unauthorized manipulation. The newer solutions not only secure the compiled program, but also the
data, that can be gathered during its “journey,” and even the execution state. Some other approaches
are based on prevention rather than detection. In this chapter we present a new idea of securing mobile
agents. The proposed method protects all components of an agent: the code, the data, and the execution
state. The proposal is based on a zero-knowledge proof system and a secure secret sharing scheme, two
powerful cryptographic primitives. Next, the chapter includes security analysis of the new method and
its comparison to other currently more widespread solutions. Finally, we propose a new direction of
securing mobile agents by straightening the methods of protecting integrity of the mobile code with risk
analysis and a reputation system that helps avoiding a high-risk behavior.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security of Mobile Code
The mobile agent systems offer new possibili- • Weakly mobile: Only the code is migrating;
ties for the e-commerce applications: creating new no execution state is sent along with an agent
types of electronic ventures from e-shops and e- program
auctions to virtual enterprises and e-marketplaces. • Strong mobile: A running program is mov-
Utilizing the agent system helps to automate many ing to another execution location (along with
e-commerce tasks. Beyond simple information its particular state)
gathering tasks, mobile agents can take over all
tasks of commercial transactions, namely, price The protection of the integrity of the mobile
negotiation, contract signing, and delivery of agent is the most crucial requirement for the agent
(electronic) goods and services. Such systems are system. The agent’s code and internal data autono-
developed for diverse business areas, for example, mously migrate between hosts and can be easily
contract negotiations, service brokering, stock changed during the transmission or at a malicious
trading, and many others (Corradi, Cremonini, host site. A malicious platform may make subtle
Montanari, & Stefanelli, 1999; Jansen & Karygi- changesintheexecutionow fl oftheagent’scode;
annis, 1999; Kulesza & Kotulski, 2003). Mobile thus, the changes in the computed results are dif-
agents can also be utilized in code-on-demand ficulttodetect.Theagentcannotitselfpreventt
applications (Wang, Guan, & Chan, 2002). Mobile but different countermeasures can be utilized in
agent systems have advantages even over grid order to detect any manipulation made by an un-
computing environments: authorized party. They can be integrated directly
into the agent system, or only into the design of an
• Require less network bandwidth agent to extend the capabilities of the underlying
• Increase asynchrony among clients and serv- agent system. However, the balance between the
ers security level and solution implementation’s cost,
• Dynamically update server interfaces as well as performance impact, has to be preserved.
• Introduce concurrency Sometimes, some restrictions of agent’s mobility
may be necessary.
The benefits from utilizing the mobileAccountability agents is also essential for the proper
in various business areas are great. However, this functioning of the agent system and establishing
technology brings some serious security risks; trust between the parties. Even an authenticated
one of the most important is the possibility of agent is still able to exhibit malicious behavior to the
tampering with an agent. In mobile agent systems platform if such a behavior cannot later be detected
the agent’s code and internal data autonomously and proved. Accountability is usually realized by
migrate between hosts and can be easily changed maintaining an audit log of security-relevant events.
during the transmission or at a malicious host site. Those logs must be protected from unauthorized
The agent cannot itself prevent this, but different accessandmodification.Alsothenon-repudiability
countermeasures can be utilized in order to detect of logs is a huge concern. An important factor of
any manipulation made by an unauthorized party. accountability is authentication. Agents must be
They can be integrated directly into the agent sys- able to authenticate to platforms and other agents
tem, or only into the design of an agent to extend and vice versa. An agent may require different
the capabilities of the underlying agent system. degrees of authentication depending on the level
Several degrees of agent’s mobility exist, cor- of sensitivity of the data.
responding to possibilities of relocating code and The accountability requirement needs also to
state information, including the values of instance be balanced with an agent’s need for privacy. The
variables, the program counter, execution stack, platform may be able to keep the agent’s identity
and so forth. The mobile agent technologies can secret from other agents and still maintain a form
be divided in to two groups: of revocable anonymity where it can determine
the agent’s identity if necessary and legal. The
Security of Mobile Code
security policies of agent platforms and their audit- method to provide such an environment is special
ing requirements must be carefully balanced with tamper-resistant hardware, but the cost of such a
agent’s privacy requirements. solution is usually very high.
Threats to security generally fall into three main The second group of methods provides the
classes: (1) disclosure of information, (2) denial of agents’ manager with tools to detect that the agent’s
service, and (3) corruption of information (Jansen, dataorcodehasbeenmodified,oranagentwitha
1999). Threats in agent system can be categorized mechanism that prevents a successful, unauthor-
with regard to agents and platform relations (e.g., ized manipulation. In this chapter we concentrate
agent attacking an agent, etc.). Another taxonomy on the “built-in” solutions because they enable
of attacks in agent system was proposed in Man an agent to stay mobile in the strong sense and,
and Wei (2001). The article describes two main moreover, provide the agent with mechanisms to
categories of attacks: purposeful and frivolous. detect or prevent tampering. Detection means that
The first kind is carefully planned and thedesigned
technique is aimed at discovering unauthorized
andcanbefurtherclassifiedbythenature ofattackofthecodeorthestateinformation
modification
(read or non-read) and number of attackers (solo or Prevention means that the technique is aimed at
collaborative). During the second kind of attacks, preventing changes of the code and the state infor-
the attacker may not know the effect of his/her mation in any way. To be effective, detection tech-
actions or gain an advantage. These attacks can niques are more likely than prevention techniques
be random or total. Another category of attacks is to depend on legal or other social framework. The
connected with traffic analysis (Kulesza, - Kotulbetween detection and prevention can
distinction
ski, & Kulesza, 2006) or called blocking attacks be sometimes arbitrary, since prevention often
(when a malicious platform refuses to migrate the involves detection (Jansen, 2000).
agent), as described by Shao and Zhou (2006). In
this chapter we will focus on the threats from an
agent’s perspective. bAckground
Among the mentioned threats, the most impor-
tant are connected with the agent platform since Many authors proposed methods for protecting
themostdifficulttoensureistheagent’s code/
integrity state
of the mobile code. The most interesting
integrity. There are two main concepts for protect- of them are presented in this section.
ing mobile agent’s integrity:
time limited black-box security and
• Providing trusted environment for agent’s obfuscated code
execution
• Detection or prevention of tampering These methods are based on a black-box approach.
The main idea of the black-box is to generate ex-
Thefirstgroupofmethodsismoreconcentrated ecutable code from a given agent’s specification
on the whole agent system than on an agent in that cannot be attacked by read (disclosure) or
particular. These seem to be easier to design and modificationattacks.Anagentisconsideredtobe
implement but, as presented in Oppliger (2000), black-box if at any time the agent code cannot be
mostly lead to some problems. The assumption that attacked in the previous sense, and if only its input
an agent works only with a group of trusted hosts and output can be observed by the attacker. Since
makes the agent less mobile than it was previously it is not possible to implement it today, the relax-
assumed. Also an agent may need different levels ation of this notion was introduced Hohl (1998): it
of trust (some information should be revealed to is not assumed that the black-box protection holds
host while in another situation it should be kept forever, but only for a certain known time. Accord-
secret). Sometimes, it is not clear in advance that ingtothisdefinition,anagenthasthetime-limite
the current host can be considered as trusted. A black-box property if for a certain known time it
0
Security of Mobile Code
Security of Mobile Code
Security of Mobile Code
Security of Mobile Code
Figure2.Exampleoffingerprinting
Possible attacks against this method include: agent place, which receives an agent to verify that
it has not been compromised. This saves computing
• Eavesdropping: If the data are not protected power because if an agent has indeed been com-
in any way (e.g., not encrypted) it can be read promised, the agent place can reasonably refuse
by every host. to execute the compromised agent.
• Manipulation: The malicious host can try to
manipulate either the agent’s code or data to Environmental key generation
change the results and still keep the proper
mark. Thisschemeallowsanagenttotakeapredefined
• Collusion: Colluding hosts cannot extract action when some environmental condition is true
any information about the mark comparing (Riordan & Schneier, 1998). The approach centers
their data or results, because every host has a on constructing agents in such a way that upon
different input data and a different embedded encountering an environmental condition (e.g., via
mark. a matched search string), a key is generated, which
is then used to cryptographically unlock some
The difference between mobile agent water- executable code. The environmental condition is
markingandfingerprintingisthefacthidden that inthe
through either a one-way hash or public
second case it is possible to detect collusion attacks key encryption of the environmental trigger. This
performed by a group of dishonest hosts. technique ensures that a platform or an observer
of the agent cannot uncover the triggering mes-
Publicly Verifiable Chained digital sage or response action by directly reading the
signatures agent’s code.
This protocol, proposed by Karjoth (1998) allows Itinerary recording with replication
verification of the agent’schainofpartial results
and voting
not only by the originator, but also by every agent
place. However, it is still vulnerable to interleaving A faulty agent platform can behave similarly to a
attacks. This protocol makes it possible for every malicious one. Therefore, applying fault tolerant
Security of Mobile Code
capabilities to this environment should help coun- • If we have x1 and f(x1) then it is computationally
ter the effects of malicious platforms (Schneider, infeasibletofind that f(x1=) f(x2)
x2 such
1997). One such technique for ensuring that a
mobile agent arrives safely at its destination is If the secret is kept within an agent, then also
through the use of replication and voting. Rather the host can use the zero-knowledge protocol to
than using a single copy of an agent to perform a verify it. Every authorized change of agent’s state
computation, multiple copies are used. Although results in such a change of the secret that the secret
a malicious platform may corrupt a few copies of remains valid. On the other hand, every unauthor-
the agent, enough replicas avoid the encounter to ized change leads to loosing the secret, so at the
successfully complete the computation. A slightly moment of verification by host or manager, the
different method based on multiple copies of agent agent is not able to prove possession of a valid
was proposed by Benachenhou and Pierre (2006). secret. Since the host can monitor all agent’s com-
In this proposal, the copy of agent is executed on putations, the secret should not only change with
a trusted platform to validate results obtained on agent’s execution state, but should also be different
other platforms. for different hosts, so one host could only validate
the secret prepared for operations that should be
executed at this platform. In our system the host can
A MEtHod bAsEd on sEcrEts tamper the agent and try to make such changes that
And Proofs so that he/she will be still able to obtain the proper
secret, but the characteristics of function f will not
In the proposed system we assume that there exist allow doing this. Some possible candidates for the
at least three parties: function f can be a hash function. Our approach is
a detection rather than prevention (see Zwierko &
• A manager Kotulski, 2007).
• An agent
• A host Specification of the Method
Security of Mobile Code
agent is in a proper execution state, it is able only from this state. Additionally, some internal
to obtain from its code/state variables the cor- variables that differ for each host should be utilized
rect shares. Since the agent is nothing more to obtain different secrets for each host. Thus, to
than a computer program, it can be described create agent’s shares, f j, ci ∈ Σ, and the code should
as a finitestatemachine (FSM). Assume, we be used.
have the agent of the form <Σ, S, SI, SF, δ>, In other cases, where the pair f j and ci is not
where: unique for each host, the previous states or other
data should be used. It should be possible to obtain
• Σ is the input alphabet the proper shares for current host based on appropri-
• S = {f 0, …, fn} is a set of all possible ate execution state and internal variables. If there
states is more than one unique combination of ( f j, ci) for
• SI is a subset of S with all initial states one host, then for each of them the host should
• SF is a subset of Swithallfinishingstates, obtain an ID and a share. The agent’s code (in a
possibly empty certain form) should be a part of the data that are
• δ: Σ × S → S is a state transition func- required to recreate the secret to enable detection
tion. of every unauthorized manipulation, which could
be performed by previous host.
Figure 4 shows an example of agent’s FSM. It To create the shares from the mentioned data,
is obvious that only some execution states should the hash function or an encryption function with
be observed during the computation at the host the manager’s public key can be used.
platform (e.g., the ones connected with gathering
and storing the data). If the state f jisthefirststate The Validation Phase
of the agent’s computations at the host platform,
then it is natural that the shares should be generated 1. The host, which wants to verify an agent’s
integrity, sends its share to the agent.
Security of Mobile Code
Security of Mobile Code
stay the same. But the host does not know other Medium: The method has been imple-
secrets that are composed into the agents; also mented, with much effort
he/she does not know more shares to recreate those Easy: The method is widely used and
secrets, so, any manipulation would be detected has been implemented for different
by the next host. purposes
The protocol is not able to prevent any attacks and what elements of an agent it protects:
that are aimed at destroying the agent’s data or • Theoretical evaluation: If the method satis-
code, meaning that a malicious host can “invali- fiesthesecuritydefinitions Defini
from
- the
date” any agent’s data. But this is always a risk, tions and Notions section.
since the host can simply delete an agent.
The theoretical evaluation is quite hard, because
• Weak forward integrity: The proposed some methods that have the black-box property do
method posses the weak forward integrity not“fit”otherdefinitions.Ifthecodeordatacannot
property:themalicioushostcannot beefficiently
read or manipulated (the ideal case), then how
modify previously generated results. wecandiscussifitcanbeverifiable,or,ifitfulfills
• Strong forward integrity: The protocol the forward integrity.
provides the agent also with strong forward As for evaluation of the black-box property, it is
integrity, because the host cannot change very hard to provide the code that cannot be read. In
previously stored results (without knowledge all cases, marked by *, (see Table 2) the adversary
of secrets created for other hosts). He/she can modify the agent but not in a way that owner
cannot also modify the agent in a way that or other host would not notice. This means that no
could be undetectable by the next host on the efficientmanipulationattackcanbemade,soone
itinerary or by the owner. partoftheblack-boxpropertyissatisfied.
• Publicly verifiable forward integrity: Each In # case the publiclyverifiableforwardintegrity
host can only verify if the agent’s code or the issatisfiedonlypartially,becausetheagent’scod
execution state has not been changed. They canbeverifiedbutthedatacannot.
cannot check wherever the data obtained on
otherplatformshasnotbeenmodified. The
scalability
agent’s owner, who created all secrets, can
only do this. The initialization phase.Thefirstphaseissimilar
• Black-box security: The proposed system to the bootstrap phase of the system. The hosts and
is not resistant to read attacks. A malicious the manager create a static network. It is typical
host can modify the code or data, but it is for agents’ systems that the manager or the owner
detectable by agent’s owner, so it is resistant of an agent knows all hosts, so distribution of all
to manipulation attack. The system does not IDsandsharesisefficient.Wecancomparethisto
have full black-box property. sending a single routing update for entire network
asinOSPFprotocolthe ( ooding)
fl Whenever
. anew
comparison with other Methods agent is added to the system, the same amount of
information to all hosts has to be sent. Since the
Itisadifficulttasktocomparesystems based
messages on
are not long (a single share and few IDs)
such different approaches as presented here. We and are generated only during creating a new agent,
decided to split comparison into two categories: that amount of information should not be a problem.
The sizes of parameters (keys lengths, number of
• Practical evaluation: If the method is hard puzzles, and number of shares) are appropriately
or easy to implement: adjusted to the agents’ network size.
Hard: No practical implementation ex- The operating phase. During the validation
ists at the moment phase no additional communication between the
manager and the hosts is required.
Security of Mobile Code
Security of Mobile Code
0
Security of Mobile Code
Burmester, M., Chrissikopoulos, V., & Kotzaniko- Kulesza, K., & Kotulski, Z. (2003). Decision systems
laou, P. (2000). Secure transactions with mobile in distributed environments: Mobile agents and
agents in hostile environments. In E. Dawson, A. their role in modern e-commerce. In A. Lapinska
Clark, & C. Boyd (Eds.), Information security and (Ed.), Proceedings of the Conference “Information
privacy. Proceedingsoftheth 5 Australasian- in XXICon Century Society” (pp. 271-282). Olsztyn:
ference ACISP (LNCS 1841, pp. 289-297). Berlin, Warmia-Mazury University Publishing.
Germany: Springer.
Kulesza, K., Kotulski, Z., & Kulesza, K. (2006).
Coilberg, Ch., Thomborson, C., & Low, D. (1997). On mobile agents resistant to traffic analysis
A taxonomy of obfuscating transformations (Tech. Electronic Notes in Theoretical Computer Science,
Rep. No. 148). Australia: The University of Auck- 142, 181-193.
land.
Low, D. (1998). Protecting Java code via code
Corradi, A., Cremonini, M., Montanari, R., & obfuscation. Crossroads, 4(3), 21-23.
Stefanelli, C. (1999). Mobile agents integrity for
Man, C., & Wei, V. (2001). A taxonomy for attacks
electronic commerce applications. Information
on mobile agent. In Proceedings of the Interna-
Systems, 24(6), 519-533.
tional Conference on Trends in Communications,
Esparza, O., Fernandez, M., Soriano, M., Munoz, J. EUROCON’2001 (pp. 385-388). IEEE Computer
L., & Forne, J. (2003). Mobile agents watermarking Society Press.
andfingerprinting:Tracingmalicioushosts.InV.
Oppliger, R. (2000). Security technologies for the
Ma7ík,W.Retschitzegger,O.& tΩ Š pánková(Eds.,)
World Wide Web. Computer Security Series. Nor-
Proceedings of the Database and Expert Systems
wood, MA: Artech House Publishers.
Applications (DEXA 2003) (LNCS 2736, pp. 927-
936). Berlin, Germany: Springer. Pieprzyk, J., Hardjono, T., & Seberry, J. (2003).
Fundamentals of computer security. Berlin, Ger-
Goldreich, O. (2002). Zero-knowledge twenty
many: Springer.
years after its invention (E-print 186/2002). E-
print, IACR. Riordan, J., & Schneier, B. (1998). Environmental
key generation towards clueless agents. In G. Vinga
Hohl, F. (1998). Time limited blackbox security:
(Ed.), Mobile agents and security (pp. 15-24). Berlin,
Protecting mobile agents from malicious hosts. In
Germany: Springer.
G. Vigna (Ed.), Mobile agents and security (LNCS
1419, pp. 92-113). Berlin, Germany: Springer. Sabater, J., & Sierra, C. (2005). Review on com-
putational trust and reputation models. Artificial
Jansen, W. A. (2000). Countermeasures for mobile
Intelligence Review, 24 (1), 33-60.
agent security. [Special issue]. Computer Commu-
nications, 23(17), 1667-1676. Sander, T., & Tschudin, Ch. F. (1998, May 3-6).
Towards mobile cryptography. In Proceedings of
Jansen, W. A., & Karygiannis, T. (1999). Mobile
theIEEE
89 1 SymposiumonSecurityandPrivacy
agents security (NIST Special Publication 800-19).
(pp. 215-224). IEEE Computer Society Press.
Gaithersburg, MD: National Institute of Standards
and Technology. Schneider, F. B. (1997). Towards fault-tolerant and
secure agentry. In M. Mavronicolas (Ed.), Proceed-
Karjoth, G., Asokan, N., & Gulcu, C. (1999). Protect-
ings 11th International Workshop on Distributed Al-
ing the computation results of free-roaming agents.
gorithms (pp. 1-14). Berlin, Germany: Springer.
In K. Rothermel & F. Hohl (Eds.), Proceedings
of the Second International Workshop on Mobile Shao, M., & Zhou, J. (2006). Protecting mobile-agent
AgentsMA ( ’9)8 (LNCS 1477, pp. 195-207). Berlin, data collection against blocking attacks. Computer
Germany: Springer. Standards & Interfaces, 28(5), 600-611.
Security of Mobile Code
Tixier, J., Dusserre, G., Salvi, O., & Gaston, D. executed. The software agent cannot perform its
(2002). Review of 62 risk analysis methodologies actions outside hosts. The host protects agents
of industrial plants. Journal of Loss Prevention in against external attacks.
theProcessIndustries, 51
(4), 291-303.
Cryptographic Protocol: Cryptographic pro-
Vigna, G. (1997). Protecting mobile agents through tocol is a sequence of steps performed by two or
tracing. In Proceedings of the 3rd ECOOP Workshop more parties to obtain a goal precisely according to
on Mobile Object Systems. Jyvälskylä, Finland. assumed rules. To assure this purpose the parties
use cryptographic services and techniques. They
Vigna, G. (1998). Cryptographic traces for mobile
realize the protocol exchanging tokens.
agents. In G. Vigna (Ed.), Mobile agents and secu-
rity (LNCS 1419, pp. 137-153). Berlin, Germany: Intelligent Software Agent: Intelligent soft-
Springer. ware agent isanagentthatusesartificialintellige
in the pursuit of its goals in contacts with hosts
Wang, T., Guan, S., & Chan, T. (2002). Integrity
and other agents.
protection for code-on-demand mobile agents in
e-commerce. Journal of Systems and Software, Mobile Agent: Mobile agent is an agent that
06 (3), 211-221. can move among different platforms (hosts) at
different times while the stationary agent resides
Yee, B. S. (1999). A sanctuary for mobile agents.
permanently at a single platform (host).
In J. Vitek & C. D. Jensen (Eds.), Secure Internet
programming: Security issues for mobile and dis- Security Services: Security services guarantee
tributed objects (LNCS 1603, pp. 261-273). Berlin, protecting agents against attacks. During agent’s
Germany: Springer. transportationthecodeisprotectedasausua
Atthehostsite,theagentisopenformodification
Zacharia, G., & Maes, P. (2000). Trust management
and very specific methods must be applied for
through reputation mechanisms. AppliedArtificial
protection. For the agent’s protection the following
Intelligence, 14(9), 881-907.
security services can be utilized:
Zwierko, A., & Kotulski, Z. (2005). Mobile agents:
• Confidentiality: Confidentiality is any
Preserving privacy and anonymity. In L. Bolc, Z.
private data stored on a platform or carried
Michalewicz, & T. Nishida (Eds.), Proceedings of
by an agent that must remain confidential.
IMTCI2004, International Workshop on Intelligent
Mobile agents also need to keep their present
Media Technology for Communicative Intelligence
locationandthewholerouteconfidential.
(LNAI 3490, pp. 246-258). Berlin, Germany:
• Integrity: Integrity exists when the agent
Springer.
platform protects agents from unauthorized
Zwierko, A., & Kotulski, Z. (2007). Integrity of mo- modification of their code, state, and data
bile agents: A new approach. International Journal and ensure that only authorized agents or
of Network Security, 2(4), 201-211. processescarryoutanymodificationofthe
shared data.
Zwierko, A., & Kotulski, Z. (2007). A lightweight • Accountability: Accountability exists when
e-voting system with distributed trust. Electronic each agent on a given platform must be held
NotesinTheoreticalComputer109- Science,,86 1 accountable for its actions: must be uniquely
126. identified,authenticated,andaudited.
• Availability: Availability exists when every
kEy tErMs agent (local, remote) is able to access data
and services on an agent platform, which
Agent Platform (Host): Agent platform is a responsible to provide them.
computer where an agent’s code or program is
Security of Mobile Code
Chapter IV
Identity Management
Kumbesan Sandrasegaran
University of Technology, Sydney, Australia
Mo Li
University of Technology, Sydney, Australia
AbstrAct
Thebroadaimofidentitymanagement(IdM)istomanagetheresourcesofanorganization(such
records, data, and communication infrastructure and services) and to control and manage access to those
resourcesinanefficientandaccurateway.Consequently,identitymanagementisbothat
process-orientated concept. The concept of IdM has begun to be applied in identities-related applications
in enterprises, governments, and Web services since 2002. As the integration of heterogeneous wireless
networks becomes a key issue in towards the next generation (NG) networks, IdM will be crucial to the
success of NG wireless networks. A number of issues, such as mobility management, multi-provider and
securities require the corresponding solutions in terms of user authentication, access control, and so
forth. IdM in NG wireless networks is about managing the digital identity of a user and ensuring that
users have fast, reliable, and secure access to distributed resources and services of an next generation
network (NGN) and the associated service providers, across multiple systems and business contexts.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Identity Management
IdM in NG wireless networks is about man- • It should define the identity of an entitya (
aging the digital identity of a user and ensuring person, place, or thing).
that users have fast, reliable, and secure access to • It should store relevant information about
distributed resources and services of NG wireless entities, such as names and credentials, in
networks and associated service providers across asecure,exible,
fl customisablestore.
multiple systems and business contexts. • It should make the information accessible
through a set of standard interfaces.
Definition • It should provide a resilient, distributed, and
high performance infrastructure for identity
Given the open and currently non-standardised management.
nature of IdM, there are varying views as to the • It should help to manage relationships be-
exactdefinitionofIdM.Theseinclude: tween the enterprise and the resources and
otherentitiesinadefinedcontext.
By HP (Clercq & Rouault, 2004)
IdentityManagementcanbedefinedasthe Mainset of
Aspects
processes, tools and social contracts surround-
ing the creation, maintenance, utilization and Authentication
termination of a digital identity for people or,
more generally, for systems and services to enable Authentication is the process by which an entity
secure access to an expanding set of systems and provides its identity to another party, for example,
applications. by showing photo ID to a bank teller or entering
a password on a computer system. This process
By Reed (2002) is broken down into several methods which may
The essence of Identity Management as a solu- involve something the user knows (e.g., password),
tion is to provide a combination of processes and something the user has (e.g., card), or something
technologies to manage and secure access to the theuserise. ( g.fingerprint,
, iris,etc.Authentica-
.)
information and resources of an organisation tion can take many forms, and may even utilise
whilealsoprotectingusers’profiles. combinations of these methods.
ByCiscoSystems(205) Authorisation
Businesses need to effectively and securely manage
who and what can access the network, as well as Authorisation is the process of granting access
when, where, and how that access can occur...lets to a service or information based on a user’s role
enterprises secure network access and admission in an organisation. Once a user is authenticated,
at any point in the network, and it isolates and the system then must ensure that a particular user
controls infected or unpatched (sic) devices that has access to a particular resource.
attempt to access the network.
Access Control
objectives
Access control is used to determine what a user
As IdM can be used in different areas such as can or cannot do in a particular context (e.g., a
enterprise, government, Web services, telecom- usermayhaveaccesstoaparticularresource/file
munication networks and so forth, its objectives but only during a certain time of day, e.g., work
diversity in different contexts. Generally, the hours, or only from a certain device, e.g., desktop
IdM system is expected to satisfy the following intheoffice).
objectives (Reed, 2002):
Identity Management
Identity Management
applications, for example, bank transactions and Pros And cons of IdEntIty
governmental functions, more information is usu- MAnAgEMEnt
ally requirede. ( g., birth certificates, credit card
numbers, and the like). Benefits of Identity Management
The digital identity of an individual user
forms the main focus of security threats to any Reduce Total Cost Ownership (TCO) for All
IdM system. As such, there are typical measures Systems
that must be taken to ensure that digital identities Cost reduction by IdM usually is a result of more
are kept securely. efficientuseofpersonnelandresources,especiall
with regards to the following administrative bu-
usage of digital Identity reaucracy. Examples include (Courion, 2005):
Digital identity can be used for authentication. • Reducing the costs of auditing by providing
It is where an entity must “prove” digitally that real-time verification of user access rights
it is the one that it claims to be. It is at this stage and policy awareness enforcement
that the credentials of digital identity are used. • Eliminating account administration such as
The simplest form of authentication is the use of account add/move/change and calls to infor-
a username and corresponding password. This is mation security staff for digital certificat
known as “single factor” authentication, since only registration
a single attribute is used to determine the identity. • Eliminating calls of password reset (the #1
Stronger authentication is usually obtained by not support call) to internal or outsourced help
only increasing the number of attributes that are desks
used, but also by including different types. To add • Streamlining IT operations for - more effi
to the previous example scheme, in addition to the cient management and reallocation to more
password, an entity could also be called upon to strategic projects
have a particular piece of hardware plugged in, • Reducing management overhead (Reed,
providing a “two factor” scheme (DIGITALID- 2002)
WORLD, 2005).
Once an entity is authenticated, a digital Competitive Advantage Through Streamlining
identity is used to determine what that entity is and Automation of Business Processes
authorised to do. This is where the profile of a
This competitive advantage is delivered by cut-
digital identity is required. As an example, au- ting down costs in areas with a high need for
thorisation can be seen as the difference between unnecessary support and being able to:
an “administrator” and a “user” who share the
same resource (for example, a computer). Both • Offer users a fast, secure way to access to
may be authenticated to use the computer, but the revenue-generating systems, applications,
actions that each may do with that resource are and Web portals (Courion, 2005)
determined by the authorisation. Authentication • Provide faster response to “password reset”
attemptstoestablishalevelofconfidence and that a
“insufficient access” user lockouts,
certain thing holds true, authorisation decides thus increasing system and data availability
what the user is allowed to do. (Courion, 2005)
Accounting provides an organisation with the • Provide 24x7x365, unassisted self-service
ability of tracking unauthorised access when it for the most common of help desk calls
occurs. Accounting involves the recording and (Courion, 2005)
logging of entities and their activities within the • Improve customer and employee service;
context of a particular organisation, Web site, maintain confidentiality and control of
and so forth. customers, suppliers, and employees (Reed,
2002)
Identity Management
• Reduce time for new employees to gain ac- pliers, contractors, clients) assets. It also presents a
cess to required resources for work (Reed, method of ensuring that policies are enforced away
2002) from human effort and decision making (where
often the process breaks down or is ignored). In
Increase Data Security summary, it can:
Data security includes the typical protection of
data from unauthorised users as well as ensuring • Demonstrate policy enforcement
that the data being used is kept up to date across • Proactively verify the access right of a
the organisation and is safe from inadvertent user
or intentional tampering by unauthorised users • Enable policy awareness testing
within the organisation. • Eliminate orphaned accounts systemati-
cally
•
Minimise the “security gap” that exists • Increase protected data privacy
between the time when employees leave a
company and their accounts are disabled Additionalbenefits,mainlybusinesscentric,
(Courion, 2005) are described in more detail by Fujitsu (Locke &
•
Reduce the intrusion risk due to orphaned McCarthy, 2002):
or dormant accounts (by ex-employees or
those posing as ex employees) (Courion, • Know who everyone is in the organisa-
2005) tions: Applied to the larger scale of the NG
•
Enforce the policies of consistent account wireless networks, this prevents any user
provisioning to make sure that only those from “slipping through the cracks” whether
who need access get access (Courion, they are employees or subscribers. Typically,
2005) telecommunications providers are adept at
• Enforce consistent password policies for keeping customer records, but suffer the
stronger authentication (Courion, 2005) same problems with keeping track of staff.
•
Reduce security threats (e.g., human error) An IdM system will enable the organisation
through policy based automation (Courion, to keep stock of all their users.
2005) • Accurate and consistent people data in
•
Ensure accurate audit trails for intrusion all systems: This is particularly relevant
prevention and security reporting (Courion, to the existing telecommunications provid-
2005) ers. Although services vary, the majority of
•
Provide faster response to account access providers have some lag between the time a
requests or password reset, thus reducing the record is changed, compared to when that
need of proliferating “superuser” privileges change is made into the records that the com-
(Courion, 2005) pany keeps. Typically, this results in undue
•
Increase the opportunity of adopting the delays when an existing or new subscriber
Public Key Infrastructure by removing the wishes to get access to their new services.
biggest barrier (Courion, 2005) By speeding up the process by which data on
•
Reduce risk of incorrect information being users can be updated, this reduces the delay
used (Reed, 2002) in service provisioning and offers a more
significantlevelofqualityofservice.
Support Legal Initiatives and Demonstrate • Single source of data input/storage: This
Compliance (Courion, 2005; Reed, 2002) feature has already been explored as one of
In the case of legal initiatives, IdM can be used thebenefitsofanIdMsystem.Althougha
successfully to demonstrate a systematic and ef- distributed system must spread the location
fective approach to safeguarding an organisation’s and access points for the data that it stores,
assets and its business partners’ (customers, sup- by having one central system for organising
Identity Management
it, any additional processing that needs to be staff, introducing new equipments and the
done, particularly when bridging between like. It will also increase the reluctance and
two different types of systems or depart- reduce the enthusiasm of the organisation
ments, is avoided. to adopt the new IdM system.
• Specific needs depending on the organi-
Ingeneral,IdMisusedtoprovideanefficient sation: IdM systems generally need to be
system that covers all users within an organisation. customised for each particular organisation
It promotes a single system that does the entire that intends to use one. This is particularly
task rather than several systems thattrue conflfor
ict theorareas where an IdM system
compete with each other. must support the business processes that an
organisation has set up. These are usually
drawbacks of Identity Management unique to the organisation. Other areas that
would require customisation from system
IdM, while bringing several advantages to an to system include hardware requirements,
organisation, may have several applicable draw- the nature of the organisations’ distributed
backs. These include: systems, and so on.
• Extensive planning, designing, and imple-
• Single point of vulnerability: A feature that mentation required: An IdM system must
brings both advantages and disadvantages be extremely well planned, designed, and
to IdM is the central system that is used. executed if it is to avoid the disadvantages
A central IdM system is used to avoid the that it is trying to overcome over existing
vulnerabilities associated with competing or approaches to enterprise management. Due
incompatible systems, as well as reducing to the all-encompassing and authoritative
the maintenance costs involved in running control that an IdM system will have over
differenttypesofsystems.However,theflip an organisation, it is important that any
side to this approach is that it represents a such system caters or close to the exact
single point of vulnerability that, if compro- specifications,outlinedbytheorganisation
mised, can lead to the easy breach of all the Otherwise, the system may be used incor-
data that the system is protecting. To counter rectly, resulting in the same inefficiencies
this, IdM systems generally recommend that from non-IdM systems.
the additional resources that are saved by •
Relatively new concept, lack of uniform
the organisation employing the IdM system standard: IdM as a standardised concept and
are re-invested into providing more effec- solutionisyettobefinalised.Thisincreases
tive security measures. This will result in a the likelihood of IdM systems to still be in
system that is, overall, more secure than the various stages of development, and more
existing mixture of systems that individu- importantly, different levels of effectiveness.
ally, are not as secure. This may lead to increased maintenance or
• Migration from legacy systems and tran- upgradesinthenearfuture,orleadtoawed fl
sition costs: IdM systems are generally at development and implementation for the
odds with existing systems that manage and early adopters of IdM systems. Both these
secure users and resources. The concept of alternativesresultinaninefficientoutc
IdM systems involves the replacing of exist- compared to IdM’s claims.
ing systems with a single IdM system. For
larger organisations with staff and hardware
that are selected based upon a preference stAndArds And solutIons
for an existing system or systems, this
represents a significant along with all the
A number of IdM technologies and standards have
associated costs of replacing or retraining emerged for enterprise networks, government,
Identity Management
and Web services. The two main standard bodies Web Services
to date are from the Liberty Alliance Project and Web services support IdM systems across private
the Web-Services (WS) Federation. However, the and public networks. They are aimed, as such,
specificationsproducedbytheseorganisations are
to connect heterogeneous systems. Several well
mainly motivated by user profile management, known protocols, such as TCP/IP, belong here. The
single sign-on, and personalised services and onesthathavespecificapplicationsinIdMare:
do not address the requirements of NG wireless
networks. • SOAP (W3C, formerly Microsoft): For
transporting XML messages/remote pro-
relevant standard bodies cedure calls
• WSDL (W3C): Used to express the pro-
The standards organisations listed in Table 1 gramming interface and location of a ser-
are involved in the development of standards vice
for IdM. • Universal Description, Discovery and In-
tegration (UDDI): Usedtofindandpublish
IdM standards services
0
Identity Management
• Liberty Alliance Project: An organisation organisations closer than in the current telecom-
working mainly towards a solution/standard, munications environment.
they focus on the single sign on concept com- IdM in NG wireless networks will be more com-
bined with federated identity. plex than enterprise and Web service solutions. It
• Microsoft .NET Passport: Primarily an involves consolidation, management and exchange
organisational solution rather than standard. of identity information of users to ensure the users
This provides a Microsoft managed authenti- have fast, reliable, and secure access to distributed
cation service for other web services/corpora- network resources across multiple service provid-
tions. ers. Furthermore, NG wireless networks have to
provide seamless and ubiquitous support to various
Workflow services in a heterogeneous environment.
Workflowstandardsinclude: Carefully planned and deployed, IdM solutions
in NG wireless networks can prevent fraud, improve
• Business Process Execution Language user experience, assist in the rapid deployment of
(BPEL): Allows business processes (tasks) new services, and provide better privacy and na-
to be described by a combination of Web tional security. Conversely if it is not well planned
services and internal message exchanges. and deployed, it can lead to identity theft, fraud, lack
of privacy, and risk national security. In Australia,
Provisioning the cost of identity theft alone was estimated to be
Provisioningstandardsarehintedat from$1.1
around workfl ow during 2001-2002 according to
billion
standards (which ensure a process is followed by some 2003 SIRCA Research.
provisioning), but are otherwise not well covered, The digital identity information in NG wireless
with one exception: networks will be more complex because it has to
cater to a number of mobility scenarios, access
• Service Provisioning Markup Language networks, and services. User identity could include
(SPML) (OASIS) a combination of names, unique user identifiers,
terminal identifiers, addresses, user credent
SLA parameters, personal profiles, and so forth.
IdM In ng wIrElEss nEtworks The digital identity information has to be ex-
changed between various entities in the networks
Motivation for the purpose of authentication, authorisation,
personalisedonlineconfiguration,accesscontr
IdM issues were not critical in traditional telecom- accountability, and so forth. IdM in NG wireless
munication networks, because networks, applica- networks is expected to provide a mechanism for
tions, and billing for different services were not controlling multiple robust identities in an electronic
integrated. For example, if a service provider offers world, which is a crucial issue in developing the
telephone, Internet access, and cable TV then all of next generation of distributed services (Buell &
these services are treated separately. Each service Sandhu, 2003).
has its own subscriber database containing sub- Let us have a look at a typical access scenario
scriber records and identity information. in traditional networks (shown in Figure 1). In
IdM, in both concept and practice, has pro- these networks, one organisation is often isolated
vided an effective alternative and complements from another since each organisation is running
to the existing security measures in enterprise and providing its services independently. Each
networks. The NG wireless networks can be seen customer has a number of identity credentials and
as a collective of organisations in addition to their each credential can only be used to access services
customers. Considering its integrated nature, an from one subscribed organisation.
IdM framework for NG wireless networks brings An expected access scenario in NG wireless
networks is illustrated as Figure 2. The NG wire-
Identity Management
Organization A
Customer Key
not allowed to
Organization B
Key
less network subscriber is expected to use the same 2. Service delivery can be improved, for example,
credential to access multiple organisations. Without the time required to get new subscriber access
a well designed IdM solution, it will not be possible is reduced.
to cater to the following: (1) accessing the subscribed . 3 It supports exible fl user requirements and
organisations frequently, (2) increased frequency personalisation.
of handoff between multiple organisations in NG 4. As with enterprise networks, there are numer-
wireless networks, and (3) mutual authentication ousbenefitssuchasreductioninthecostofnew
between subscriber and service provider, or between service launch, operation and maintenance
various service providers. A security breach on (O&M) and increased return on investment
any component of the NG wireless networks will (ROI) for NG wireless network operators and
result in more severe consequences for all the other service providers.
business partners. Therefore, in order to maintain a 5. IdM is expected to support distributed network
similarleveloftrust,reliabilityandprofitability architectures where for entities communicate
the NG wireless networks, integrated IdM measures through open but secure interfaces.
in NG wireless networks must be taken. 6. It is necessary for seamless user mobility
across networks and terminals.
Benefits in NG Wireless Networks 7. A carefully researched and implemented IdM
solution improves the security of the NG wire-
A carefully researched IdM framework for NG lessnetworksandtheuserconfidenceinthe
wirelessnetworkshasanumberofbenefits for
use ofNG
the services.
wireless networks users, operators, and service .8 IdM will assist in the efficient implementa -
providers. tion of current and new legal and compliance
initiatives about user data, behaviour and
1. User experience is often improved as users privacy.
can ubiquitously access services and applica- 9. IdM is expected to support number and service
tions of their choice over a number of service portability of users in an NG wireless network
providers without going through separate environment.
logins and avoiding the need to remember
multiple usernames and passwords or use However, introducing an IdM solution can bring
multiple tokens. new forms of security issues and threats. As you
Identity Management
Organization B
• User: A user refers to a person or entity with A unique universal identity will have to be as-
authorised access (The Health Insurance signed to each individual user of the NG wireless
Portability and Accountability Act (HIPAA), networks and to each user terminal that a user may
2005). In describing NG wireless networks, use to access services of the NG wireless networks.
the term end user is often used to refer to a Examples of such identity in Global System for
person or entity that uses network resources Mobile Communications (GSM)/Universal Mobile
or services. Telecommunications System (UMTS) networks
• User terminal: The user terminal is the include the International Mobile Subscriber Iden-
device that is used by an end user to access tity (IMSI) and International Mobile Equipment
the services provided by the NG wireless Identity (IMEI). Users should have a single identity
networks. It can be a mobile station (MS) or regardless of the access technology or network
a laptop. being used.
Identity Management
Theuseridentitymustpossesssufficient transmitfeatures
the real identity of a user through radio
that enable it to be used in a variety of end user or other public transmission mediums, like the
terminals (computer, mobile phone, landline phone). Internet, or exchange it directly with unauthorised
Additionally, the unique identity may be required parties. Special measures must be taken to ensure
to be compatible across several IdM systems. that user identity is not disclosed during the ex-
changing process. One possibility to overcome this
Storage of User Information problem is to use a temporary user identity that is
derived from the unique user identity and is valid
User identity information may be stored in many forafixedperiodoftime.Oncethevalidityofthe
locations: user card, home network, visited network, temporary identifier is expired, a new temporary
service providers, and so forth. Sometimes, the identity is generated. This way the real identity of
stored user information can be used as a credential a user is never compromised.
for fast authentication, for example, HTTP cookies
are adopted to facilitate quick access to protected Self-Service
Web sites. However, such kind of convenience
can have a security risk as the security at user end Self-service is the ability of a user to actively man-
is more likely to be compromised. NG wireless age part of his or her records without requiring the
networks designers have to carefully decide how intervention of help desk or support staff (Reed,
much information needs to be securely stored at 2002). This is an important requirement in all IdM
user end. Any identity-related information stored systems. All NG wireless networks users should
at the user end has to be secure. be able to securely manage some of their own
identity information such as changing passwords,
Exchange of User Identity subscription status, choosing their mobility status,
changing roaming authorisation, modifying user
The unique identity allocated to a user should be profiles, enabling location based services, and so
treated confidentially. Sometimes, it isUsers
forth. a risk toalso be able to modify content
should
Identity Management
filtering options for upstream and downstream cost, location, and so forth. The user should be able
traffic. to move between the different access technolo-
Users should be able to view their up-to-date gieswithminimumconfigurationchangeandget
billing records and service usage patterns. To access consistently to their services according to
increase trust, users should be able to view their theiruserprofiles.
self-service activity journal, which displays all the
self-service activities performed by a user. Mobility
An IdM system should be able to cater to situ-
ations where a user wants to delegate self-service Mobility across heterogeneous environments re-
privileges to another user such as maintaining quires service adaptation for terminal mobility as
accounts of family members. well as personal mobility (France Telecom, 2002).
Intheeventofservicedifficultyduringmobility,
Single Sign-On usersshouldreceiveuserfriendlynotificationw
choices of actions to restore the service without the
An important user requirement of NG wireless need to contact support staff.
networks is single sign-on. This means that once Another related implication is that a user, who is
a user is authenticated, the user should have access changing access networks during a session, should
to the entirety of their subscribed services without be able to continue to access the same service
having to repeat the authentication process for each without repeated authentication. For example, a
subscribed service. mobile user should be continuously attached to a
network when there is a handover from a UMTS
Security and Privacy network to a wireless LAN (WLAN).
Identity Management
Identities exchanging
Identity Requirements occurs at adjacent operator A
networks.
trusted third Party
The NG wireless networks operator should be able
to maintain a unique identity for each user, termi-
nal, network element, location area, and so forth,
regardless of service and technologies used.
geographically distributed IdM servers in order to
If the user is using faulty or dubious terminal
increaseperformanceefficiencybyloadsharingand
equipment, it should be possible to bar services
providing high availability. It should also maintain
to the user.
integrity and consistency of identity data across
The digital identity stored in a network should
distributed identity information stores.
cater to various types of user identity information
and data structures.
As in enterprise networks, proper implementa- Mobility Management
tion of account lifecycle management is required,
that is, administrators should be able to manage NG wireless networks should be able to cater to
the state of a user account for the complete span the mobility requirements of users. This could in-
of that account. Even if an account is deleted or clude personal and/or terminal mobility, roaming,
disabled, an audit history of the account should or nomadism. Mobility management may require
be maintained. a combination of identification, authenticati
If necessary, the network operator should be able access control, location management, IP address
to remove self-service privilege of some users. allocation and management, user environment
The IdM system should support open standards management,anduserprofilemanagement - func
in order to interact with multi-vendor terminals and tions. The network should cater for both foreign
network elements. It should be compatible with ex- network IP address and home network IP address
isting legacy systems and be able to adapt to emerg- allocation scheme.
ing technologies, methods, and procedures.
Security
Scalability and Performance
Security requirements for NG wireless network
The IdM system should be able to store, retrieve, operators should cover privacy, confidentialit
and exchange billions of identity information in integrity, authenticity, non-repudiation, availabil-
a highly seamless, scalable, quick, andity, intrusion detection, and maintenance of audit
efficient
manner to facilitate multiple real-time service records as described later on.
requests from users. Users and terminals should be reliably authen-
It should achieve a high level of availability ticated by the network operator using a nominated
by incorporating fault-tolerant redundant system set of authentication credentials such as passwords,
implementation. Furthermore, it should implement smart cards, biometrics, and other industry standard
Identity Management
methods. All the identity data should be kept in a The IdM and related systems should support
very secure and scalable manner. Unauthorised open standards with choices of number of technolo-
access to identity data should be prevented. gies in order to interoperate with other entities.
Intrusion detection is required to detect and
prevent security breaches with the network operator. Interface to Other Service Providers
This can also be done to minimise the fraudulent
use of resources in a network. Users may subscribe to the services offered by dif-
Network administrators should be granted dif- ferent service providers. Thus, the interoperability
ferent levels of access according to their authority among service providers is important. User identity
within the organisation. For accountability and se- information may be exchanged between a group of
curity reasons, consistent and reliable audit records service providers in order to improve “transparent
of administrative activities must be kept. user experience.” This also requires trust to be
In order to apply user and data security such established between these service providers.
as confidentiality, integrity, and authenticity, the
IdM system should securely store and exchange Interface to Network Operator
relevant encryption keys.
Awell-defined,openinterfaceneedstobeprovided
Billing to the network operator at the service provider
end. This would give service provider the neces-
Up-to-date, accurate, and detailed billing informa- sary authentication, authorization and accounting
tion should be maintained by the network operator. (AAA) to access network resources offered by
When there is more than one source sending billing network operator.
data, the network operator has to consolidate this
information from various sources. Interface to Trusted Third Party
Furthermore, when a subscriber is roaming
in a foreign network, charging records from that An interface to trusted third party would give
foreign network has to be authenticated to prevent service provider an opportunity to use external
fraudulent usage of services. AAA services. By doing so, the complexity of
The network operator should be able to sup- implementation of services would be reduced. The
port a number of charging mechanisms such as authentication of users can be centralised.
charging based on usage, access networks, time,
geographical area, and so forth. All of these dif- Mobility Management
ferent charging mechanisms should be compatible
with the IdM system. Some services require information about the current
location and connectivity of subscribers. These are
service Provider requirements referred to as location-dependent or location-aware
services. To provide such services to end users, a
A user may require services from a number of ser- service provider must be able to access mobility-
vice providers. In this scenario, the home operator management-related information maintained by
and the service provider(s) should support secure network operators. Subscribers have to consent
access and exchange of user identity and billing to the release of this sensitive private information
information. to service providers. Furthermore, when there are
The identity of each user should be uniquely updates to location or mobility management data in
and reliably identified by a service provider. the networkTheoperator, the update have to be passed
service providers may have to rely on third party to the subscriber.
IdM providers where the user has already estab-
lished an account.
Identity Management
Identity Management
2001). Legal interception of subscriber data should Locke, M., & McCarthy, M. (2002). Realising the
be possible whichever network or service a sub- businessbenefitsofidentity management
: FUJITSU
scriber is using. SERVICES.
Pato, J., & Rouault, J. (2003, August). Identity
management: The drive to federation. Retrieved
rEfErEncEs 2006, from http://devresource.hp.com/drc/techni-
cal_white_papers/id_mgmt/index.jsp
Buell, D. A., & Sandhu, R. (2003). Identity manage-
ment. IEEE Internet Computing, 7(6), 26-28. Reed, A. (2002). The definitive guide to identity
management (e-Book). Retrieved from http://www.
Cisco Systems. (2005). Trust and identity manage-
rainbow.com/insights/ebooks.asp
ment solutions. Retrieved 2005, from http://www.
cisco.com/en/US/netsol/ns463/networking_solu- Titterington, G. (2005, July). Identity management:
tions_package.html Time for action. Ovum’s Research Store.
Clercq, J. D., & Rouault, J. (2004, June). An intro-
duction to identity management. Retrieved 2005, kEy tErMs
from http://devresource.hp.com/drc/resources/id-
mgt_intro/index.jsp Access Control: Access control is used to
determine what a user can or cannot do in a par-
Council of Europe. (2001). ETS No. 185—Conven-
ticular context.
tion on cybercrime. Article 21, European Treaty
Series (ETS). Retrieved 2005, from http://conven- Auditing and Reporting: Auditing and report-
tions.coe.int/Treaty/en/Treaties/Html/185.htm ing involves the creation and keeping of records,
whether for business reasons (e.g., customer transac-
Courion. (2005). Courion products over-
tions), but also for providing a “trail” in the event
view: Enterprise provisioning. Retrieved 2005,
that the system is compromised or found faulty.
from http:www. / courion.com/products/ benefits.
asp?Node=SuiteOverview_Benefits Authentication: Authentication is the process
by which an entity provides its identity to another
DIGITALIDWORLD. (2005). What is digital
party, for example, by showing photo ID to a bank
identity? Retrieved July 2005, from http://www.
teller or entering a password on a computer sys-
digitalidworld.com/local.php?op=view&file=abo
tem.
utdid_detail
Authorization: Authorisation is the process of
France Telecom. (2002). Inter-network mobility
granting access to a service or information based
requirements considerations in NGN environ-
on a user’s role in an organisation.
ments. Study Group 13—Delayed Contribution
322, Telecommunication Standardization Sector Context: Context can refer to the type of trans-
(WP 2/13) Retrieved 2004. action or organisation that the entity is identifying
itself as well as the manner that the transaction is
The Health Insurance Portability and Account-
made.
ability Act (HIPAA). (2005). Glossary of HIPAA
terms. Retrieved 2005, from http://hipaa.wustl. Digital Identity: Digital identity is the means
edu/Glossary.htm that an entity can use to identify themselves in
a digital world (i.e., data that can be transferred
International Telecommunication Union-Telecom-
digitally,overanetwork,file,etc..)
munication Standardization Sector (ITU-T). (2004).
NGN-related recommendations. Study Group 13 Identity: The identity of an individual is the set
NGN-WD-87. of information known about that person.
Identity Management
Network Operator: Network operator is de- User: A user refers to a person or entity with
fined as a legal entity that operates, deploys,
authorised and
access.
maintains network infrastructure.
User Terminal: The user terminal is the device
Profile: A profile consists of data needed to by an end user to access the services
that is used
provide services to users once their identity has provided by the NG wireless networks.
beenverified.
0
Chapter V
Wireless Wardriving
Luca Caviglione
Institute of Intelligent Systems for Automation (ISSIA)—Genoa Branch, Italian National Research
Council, Italy
AbstrAct
Wardriving is the practice of searching wireless networks while moving. Originally, it was explicitly
referred to as people searching for wireless signals by driving in vans, but nowadays it generally iden-
tifies people searching for wireless accesses while moving. Despite the legal aspects, t
connectivity” spawned a quite productive underground community, which developed powerful tools,
relying on cheap and standard hardware. The knowledge of these tools and techniques has many useful
aspects. Firstly, when designing the security framework of a wireless LAN (WLAN), the knowledge of
the vulnerabilities exploited at the basis of wardriving is a mandatory step, both to avoid penetration
issues and to detect whether attacks are ongoing. Secondly, hardware and software developers can design
better devices by avoiding common mistakes and using an effective suite for conducting security tests.
Lastly, people who are interested in gaining a deeper understanding of wireless standards can conduct
experiments by simply downloading software running on cost effective hardware. With such preamble,
in this chapter we will analyze the theory, the techniques, and the tools commonly used for wardriving
IEEE 802.11-based wireless networks.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Wireless Wardriving
networks without activating any confidentiality, Nevertheless, many wardrivers do prefer a Personal
integrity, and availability (CIA) mechanisms: Computer Memory Card International Association
opportunity makes the thief. Then, wardriving (PCMCIA) wireless card that is capable to connect
becomes a less noble hobby, since many wardrivers with an external antenna to sense a wider area. With
try also to gain access to the discovered networks; this basic setup you should be able to enable the
many of them are only interested in cracking the wireless interface and start scanning the air. But,
network, while a portion will steal someone else’s in order to conduct more sophisticated actions, a
bandwidth. In this perspective, another basic step deeper understanding of aspects related to hard-
has been introduced: (4) trying to gain access to ware and software should be gained. A detailed
the WLAN. breakdown follows.
It is also interesting that wardriving is becoming
part of the urban culture. For instance, it spawned wireless Interfaces
a strange fashion called warchalking, that is, the
drawing of symbols in public places to advertise Each model of wireless interface differs in some
wireless networks, as defined by Matt Jonesas ( way. Regardless of different power consumption,
cited in Pollard, 2000). better antennas, and so on, two major aspects
must be taken into account: the chipset and the
Then, why is it important to know about wardriv- availability of ad hoc drivers. The chipset roughly
ing? represents the soul of a wireless interface and it is
mostly responsible of its capability. For instance,
Firstly, because you must become conscious some chipsets do not allow assembling ad hoc
that an active WLAN can trigger “recreational frames, preventing from exploiting particular
activities,” even if it is solely employed to share a attacks. The reasons are different: the chipset
printer. Secondly, the coordinated effort of many could lack the logic to deal with raw packets or
people highlighted several security itsaws
fl specification
in the is not known, discouraging tool
IEEE 802.11 standards and produced effective tools developers to exploit such functionalities. At the
to test (well, actually, to compromise) the security of time of this writing, cards based on the Prism
access points (APs). Thirdly, while performing their chipset are the most studied and documented, re-
“raids,” wardriversdiscoveredaws fl inthedevices;
sulting in a variety of pre-made tools for preparing
consequently, this is a valuable knowledge that packets.1 Lastly, being the interfaces engineered for
could be used to avoid further errors. Lastly, trying providing connectivity and not such kind of tasks,
to be a wardriver is an instructive activity that will manufacturers often change the internal chipset,
help to better understand WLANs technologies, even if maintaining the model or the brand name.
develop your own auditing tools and procedures, This is why not all wireless cards are the same,
and prevent, or at least, recognize attacks. andyoushouldchecktheirspecificationscarefull
if you plan to use them for wardriving.
Wireless Wardriving
The importance of drivers becomes evident the properties of the belonging kext. The “hack”
when you scan the air for a network. About the consists in a simple operation (i.e., changing a
totality of the bundled drivers does not allow to string) but it took time to discover.
perform the so called passive scan. Passive scan Firstly, the proper Info.plist must be located.
implies that your interface operates in passive In a console type:
mode, often called radio frequency monitoring
(rfmon) mode. While you operate in rfmon, you Mud:Luca$ cd /System/Library/Extensions/AppleAirPort.
kext/Contents/
can scan APs and remain undetectable, since your
card does not send any probe packets.
Hence, you can see the content of the kext upon
Conversely, when acting in active mode, which
simply typing:
is the standard configuration, as soon as you start
looking for an AP, you will be revealed. The ability of Mud:Luca$ ls
switching from active to passive mode and vice versa Info.plist MacOS version.plist
is provided by the drivers. Many drivers do not provide
this functionality, while others have this functionality Then, it is possible to modify the Info.plist
hidden and must be reverse engineered.
For the most popular chipsets, alternative driv- Mud:Luca$ vim Info.plist
ers that allow the user to put the card in rfmon are
available. If you plan to do undercover works, you The key responsible of enabling the rfmon fol-
should check the driver availability. lows, in boldface:
However, the active mode is faster than the
passive mode. While operating in passive mode, <key>IOKitPersonalities</key>
the average time needed for scanning a channel <dict>
<key>Broadcom PCI</key>
is about 50 ms. Obviously, multiple channels scan <dict>
requires n • 50 ms. Conversely, when performing <key>APMonitorMode</key>
scanning operations in active mode, the needed <false/>
time is lower. In fact, the operations required are:
transmitting a probe request + waiting for a DCF Switching the dictionary entry <false/> to <true/>
IFS interval + transmitting a probe response. The enables the AirPort Extreme card in rfmon.
overall time needed per channel is roughly equal However, such a task could be performed pro-
to 0.45 ms. Again, scanning n channels increases grammatically.
the needed time accordingly (Ferro, 2005). This is the approach taken in KisMAC, which is
popular among wardrivers. As an example, in the
An Example of Driver Hacking following, the Objective-C code snippet checking
whether or not the wireless interface is rfmon is
As said, the ability of enabling an air interface depicted in Snippet 1.
in rfmon could be available in the driver, but not Roughly, the steps presented in Snippet 1 allow
documented. This is the case of the driver for the the user to: (1) obtain a handler to the proper Info.
AirPort Extreme wireless adapters bundled with plist file;) prepare
2( a dictionary for parsing the
MacOS X. This example is introduced for didacti- Info.plist; and (3) check if the <APMonitorMode>
cal purposes, stressing how a simple “hack” can key is <false/> or <true/>.
transform a partially closed platform in an excellent
wardrivingconfiguration. the operating system and other
In a nutshell, OSX drivers are implemented via Matters
kernel extensions (kexts) that are similar to Linux’s
modules. Every kext is bundled with a kind of Needles to say, the operating system (OS) plays
configurationfileInfo.plist.calledThe Info.plist is a role. For instance, when processing data for
aXMLfilecontainingadictionarythatdescribes
Wireless Wardriving
Snippet1.HowtoprogrammaticallyretrieveifanAirPortcardisconfiguredinrfmon
fileData = [NSData dataWithContentsOfFile:
@"/System/Library/Extensions/AppleAirPort2.kext/Contents/Info.plist"]; 1
dict = [NSPropertyListSerialization propertyListFromData:fileData
mutabilityOption:kCFPropertyListImmutable format:NULL errorDescription :Nil]; 2
if ([[dict valueForKeyPath:@"IOKitPersonalities.BroadcomPCI.APMonitorMode"] 3
boolValue]) return YES;
bruteforcinganencryptedow, fl agoodsymmetric
Concerning the CRC32, it is employed to check
multi process (SMP) support is a must (as well as data and to assure integrity. It has not the crypto-
a good multi-threaded implementation). graphic strength of other hashing algorithms, such
In addition, many APs can reject data from un- as the MD5 and the SHA1 (Schneier, 1996). The
recognized MAC addresses: for this reason, having CRC32 employed in the wired equivalent privacy
an OS that allows the user to change the MAC ad- (WEP) algorithm has two major properties, as
dress of active interfaces is important. Lastly, many presented in Table 2.
tools only run on *nix operating system. However,
thetrafficcollectionphasecouldbedecoupledby
the processing, hence allowing the user to collect About tHE sEcurIty of IEEE
data on a machine and process it on another. As a 802.11
consequence, simple devices (e.g., with low com-
putational power) could be employed to collect The IEEE 802.11 security framework has changed
data and discover APs (e.g., PDAs and portable during the years: from the awed fl WEP, to the
gaming devices), while a standard PC could be wireless protected access (WPA) introduced by
usedforprocessingthecollectedtraffic. the Wi-Fi alliance in late 2002. However, since
mid-2004, the IEEE 802.11i Working Group (WG)
xor Arithmetic and crc32 in a introduced a framework based on the 802.1X and
nutshell the extensible authentication protocol (EAP), to
bring the wireless security to the next level; such
In order to understand the security mechanisms, effort is known as WPA2.
and possible attacks, a little remark about eXclu- Even if highly criticized, the security mecha-
sive OR (XOR) arithmetic and the properties of nisms proposed by different WGs have developed
CRC32 functions, employed for data checking, are having in mind different operative contexts. For
presented. Basically, the XOR operator respects instance, the WEP (as the name suggests) has
the properties presented in Table 1. been developed to prevent simple connection at-
tempts, while WPA has been developed to offer
Table 1. Basic XOR arithmetic (⊕ represents the an adequate resistance to well-planned attacks.
XOR operator) Currently, an average wardriver can: surely con-
nect to an unprotected AP, spend 10 minutes to 1
Operation Result
hour to break the WEP, and crack a WPA-protected
0⊕0 0 AP in some of its weak variants and well-suited
1⊕0 1 circumstances. In order to understand the common
1⊕1 0 technique employed by wardrivers, the commonly
(A ⊕ B) ⊕ A B adopted security countermeasure will be briefly
(A ⊕ B) ⊕ B A explained.
Wireless Wardriving
Property Application
Linearity CRC32(A⊕B)=CRC 32
(A) ⊕ CRC32(B)
Independence of WEP Key ItispossibletoflipbitswithoutbeingrecognizedbytheWEP
Wireless Wardriving
M’
Seed
points, let us summarize its basic functionalities. Splitting the Seed in two sub parts (the IV
The WEP performs the encryption per packet; let a and the WEP key)isoneofthemajoraws fl ofthe
given packet M represent a message in clear form procedure. However, the reason is rooted both in
to be sent. Hence, the following steps happen: the nature of the RC4 and wireless channels. The
RC4 has been used in the WEP since it is widely
A 32-bit cyclic redundancy check (CRC) algo- adopted and well studied. But its application over
rithm is applied to M in order to produce a check- wireless channels poses some drawbacks. In fact,
sum. Then: CSum=CRC 32(M). Basically, a CRC wireless channels frequently drop packets, thus
is introduced to assure message integrity. However, maintaining a proper synchronization in the stream
the use of CRC-like codes in this kind of environ- to allow the decryption operations is a challenging
ment has been proven to be very dangerous. task. Consequently, to overcome the possibility of
packet loss and stream de-syncing, each encrypted
LetusdefineM’ asthe message actually pro- packet is sent along with the IV that generates its
cessed by the WEP algorithm, hence to be really sent keystream. This represents another weakness in
over the channel. M’ is depicted in Figure 1. the algorithm, since it allows a wardriver (attacker)
Then M’ is encrypted by using the RC4 al- to seamlessly collect IVs.
gorithm, that relies on a stream cipher approach. Concluding, the ciphered text C is provided
Thus, the actual Seed used by the WEP is the by:
combination of a 24-bit initialization vector (IV)
and the WEP key, as depicted in Figure 2. C =M’ ⊕ RC4 Key
Referring to Figure 2, two different WEP keys
are available: 40-bit long keys adopted in the where, ⊕ represents the XOR operator, and RC4Key
standard implementation, or 104-bit long keys is the keystream generated by the RC4 algorithm
adopted in the extended implementation, which by feeding it with Seed. Figure 3 depicts a WEP-
has been introduced to prevent brute force at- encrypted packet that could be collected and ex-
tacks. Here comes the marketing: a “64bitWEP ploited by a wardriver. Needles to say, IVs convey
secured network” actually relies only on 40-bit precious information, and in the following, we
long keys, since 24-bits represent the IVs. For the show how standard tools can exploit this.
same reason, a “128-bit WEP secured network”
only relies on 104-bit keys.
Wireless Wardriving
FigureA3. WEPencryptedframe.NoticethattheIVissentascleartext.
IV (24 bit) C
Many APs allow changing the power employed for As discussed in the Understanding the effective
transmitting data. However, many users keep the strength of the WEP section, WEP offers different
default values or use more power than required. alternatives to be attacked and cracked. In this sec-
Despite the waste of energy, this raises also some tion, we will introduce the most popular attacks,
security risks. For instance, if there is the need of and then we will present some practical examples.
covering a conference room, it is harmful to ir- Besides, attacks could be roughly grouped in two
Wireless Wardriving
categories: passive and active. A passive attack range. Usually, the user must insert a pass phrase,
solelyreliesonthetrafficcollected,while somethinganlike:
active
“Ken sent me” and the wizard will
attack consists also in injecting some additional automatically generate a WEP key. However, many
trafficinthenetwork.Forinstance,active attacks
generators appeartobeawed. fl Hediscoveredthat
are employed to stimulate the traffictwo tosteps
collect
in the ifgeneration process reduce the
there are not any clients connected to an AP at a “strength”ofthekey;specifically:
given time. The latter techniques will be presented
when needed, then in the Example section. 1. The ASCII mapping reduces the entropy:
usually ASCII strings are mapped to 32 bit
bruteforce Attacks value and the XOR operation guarantees
four zero bits. In addition, the highest order
Every security algorithm is exposed to bruteforce bit of each character is equal to zero. Then,
attacks. The key point is if a bruteforce attack is only seeds from 00:00:00:00 e 7f:7f:7f:7f can
feasible. As said, WEP exists in two variants. occur.
Concerning the 40 bit standard implementation, 2. The use of Pseudo Random Number Genera-
a bruteforce attack could be feasible. Probably, an tion (PNRG) reduces the entropy: for each
occasional attacker will have a machine allowing 32bit output, only a portion of the available
to check 10,000 to 15,000 keys/second; hence, it binary word is considered (e.g., bits 16 through
is not sure that he/she will complete the attack (on 23). Besides, the generator has the properties
an average laptop, 200 days are required). But an of generating bits with different degrees of
organization or a professional attacker can try “randomness.” For instance, a bit in position
to successfully bruteforce the WEP in the 40-bit k has a cycle length of 2k. Then, Newsham
variant. Nevertheless, nowadays there are several noticed that the produced bytes have a cycle
software libraries for parallelizing computations, length of 224thus
, reflectinginseedsranging
as well as software tools for building clusters (e.g., from 00:00:00:00 and ff:ff:ff:ff.
Beowulf or Mosix for the Linux platform and XGrid
for MacOS X). Owing to the availability of the In order to discover the key, it is sufficient to
source code of bruteforcing tools, porting them consider seeds ranging from 00:00:00:00 through
on such frameworks could be possible. Actually, 00:7f:7f:7f with zero highest order bits, hence
bruteforce is never employed, since it is possible reducing the space and only analyzing 221 words.
to successfully crack the WEP in simpler and As a consequence, it is possible to bruteforce such
quicker ways. awed
fl implementations in minutes. The most
Conversely, the 104-bit long key available in the popular implementation of Newsham’s 21-bit at-
WEP extended implementation is immune against tack is available in the KisMAC tool. According
bruteforce attacks (with a standard gear, about 10 19 to KisMAC documentation, Linksys and D-link
years are needed). devices appear, at the moment, the most vulner-
able to this attack.
the tim newsham’s 21-bit Attack
weak Ivs
Tim Newsham is a well-known security expert and
consultant. Among wardrivers he is very popular This attack relies on how the RC4 is used to pro-
for inventing the 21-bit attack (Newsham, 2003), duce a WEP-encrypted stream. Basically, some
allowing to bruteforce some WEP implementa- IVs can reveal some information about the secret
tions in minutes. key embedded in the first byte of the keystream.
Basically, Newsham noticed that several ven- Thenitisenoughtocollectasufficientnumberof
dors generate WEP keys from text, in order to make weakIVsand,ifthefirstbyteofthekeystreamis
easy-to-use products and cover a wider market known, it is possible to retrieve the key.
Wireless Wardriving
Wireless Wardriving
AP Internet
Target Known
Encrypted
Packet
Wardriver
WLAN
stream is 1,500 bytes long at maximum, owing to dictionary attacks in the section devoted to WPA.
the maximum MTU available, and the adoption Such concepts could be straightforwardly extended
of a 24-bit IV produces 16,777,216 (224) possible also to WEP.
streams. Hence, the required space is 16,777,216
•0=5 1 4Gbytes.
. 32 WEP Attack via KisMAC
With the advent of PCMCIA cards, and their
poor implementation of the policies to generate IVs, Let us show an attack performed to a WEP-secured
the adoption of a dictionary-based attack became network. Firstly, we show how to crack a network
feasible. In fact, many PCMCIA wireless cards reset with KisMAC. This gives an idea of how simple it
the IV to 0 each time they are re-initialized. Re- might be. After launching KisMAC, one can start
initialization happens each time they are activated the scanning. If supported, one can select whether
(e.g., typically once a day in many circumstances). or not to adopt passive or active scanning. Figure
Thenitissufficienttobuildadictionary only
5 depicts thefor
result of a scan.
the very first values of IVs, in order to decrypt Then, if there is the need of cracking the WEP,
mostoftheowing fl traffic. different actions could be performed. Firstly, one
can try the Newsham’s 21-bit attack, or try to
Examples bruteforce the WEP, but owing to the “informa-
tion” conveyed by the IVs, quicker solutions could
Inthissection,wewillpresentbriefl - ysome pos
be adopted.
sible attacks against a WEP-secured network. Two things may happen: (1) the network is
Firstly, we will show how to attack a network by experiencingahugeamountoftraffic,-hencepro
using KisMAC, a tool running on MacOSX with ducing a huge amount of IVs. In this perspective,
a simple GUI. Then we will show how to use stan- an attacker must only wait to collect a sufficien
dard terminal-based tools commonly available for number of IVs to perform a suitable attack; or (2)
different Unix avors. fl As a remark, we will thenot
network is under a low load, hence the time
spend too much time on explaining bruteforce or needed to collect a sufficient amount of IVs is
dictionary attacks. In fact, WEP could be cracked non-negligible. Then, it is possible to stimulate
in a more elegant way; conversely, owing to its traffic by using the de-authentication attack o
better security, we will explain bruteforcing and injecting well-crafted packets; Figure 6 depicts
0
Wireless Wardriving
Figure5.ScanresultprovidedbytheKisMACtool
Figure6.HowtostimulatetrafficinaWEP-securednetwork
Figure 7. The network has been attacked with an authentication flood. Notice the random
MAC addresses.
Wireless Wardriving
possibleattackstostimulatetraffic, while
networks. TheFigure
needed number of IVs varies: if your
7 depicts the “fake” stations that populate the at- traffic dump is blessed, collecting 0, 1 IVs
tacked wireless network. suffices.Usually,theneedednumberofIVsranges
from 250,000 to 500,000. However, some advanced
WEP Attack via Terminal-Based Tools APs have algorithms that avoid the generation of
weak IVs, hence reflecting in a huge number of
Firstly, let us start searching a network. For do- needed IVs (in the order of several millions).
ing this, let us use airodump. Airodump allows to If there is not enough traffic on the network,
collect traffic from a wireless interface. It could
collecting IVs could be a tedious (or at least time
be possible that you have airodump-ng instead, consuming) task. Moreover, if a sophisticated AP
since it represents the evolution of the aircrack is employed, collectingIVs 0, 5 withatraffic
wireless suite. We will refer to the classical tool, of few packets per second could be impossible.
since it could be possible that you already have it, Then, it is possible to stimulate traffic on the
especiallyifyourconfigurationisnotup-to-date; WLAN, in order to increase the number of packets
however, the concepts, as well as its usage, are sent, hence speeding up the collection of IVs.
the same. For instance, by using the aircrack suite, it is
Supposing the tool properly installed, it is suf- possible to exploit the so-called address resolu-
ficienttotypeinaterminal: tion protocol (ARP) replay.2 Roughly, ARP relies
on broadcasting a request (an ARP Request) for
Mud:Luca$ ./airodump cardName theTrafficFile 0 log- an IP address, in order to discover the matching
gingMode between L2 and L3 addressing. The device that
recognizes its IP address sends back a query di-
Here, ./airodump launches the tool, cardName rectly to the original requestor. Alas, WEP does
is the name of the card used to monitor the air, not assure protection against replay attacks. So you
theTrafficFile is the output file collectingcan data.injectThe
well-crafted ARP packets and generate
parameter 0 specifies that we want to-hop chan answers containing valid IVs. Needles to say, the
nels, while loggingMode allows to switch between more aggressive your ARP generation strategy is,
loggingalltrafficoronlyIVs. the more packets you will collect (thus, reducing
If we have collected enough IVs, we can try to the time needed to collect a certain x amount of
crack the WEP by using aircrack. Some couple of valid IVs).
remarks:) 1the ( traffic collection and - theTo crack
perform an ARP replay attack you can use
ing phases are decoupled. Then you can perform the tool as follows (notice, that you must have also
an attack off-line (not hidden in a parking lot); a sniffer running in order to capture replies).
(2) it is possible to collect data with well-known
sniffers, such as Wireshark (formerly known as Mud: Luca$ ./aireplay-ng --arpreplay -b MACAP -h TMAC
Ethereal). For instance, under Linux it is possible Interface
to use airmon-ng to configure the wireless card,
then using Wireshark to collect traffic. By using ./aireplay-ng launches the tool, --arpreplay the agfl
ivstool from the aircrack-ng suite you can convert specifies to perform the ARP replay -b attack,
IVs from .pcap format to aircrack one. MACAPspecifiestheMACaddressoftheAPand
Then, you can crack a network by typing: -h TMAC specifies the MAC of the targetvictim) (
host. Lastly, Interface tells the program which
Mud:Luca$ ./aircrack -b MAC theTrafficFile wireless interface must be used.
If everything is correct, the attack starts gen-
Here, -b MAC specifies the MAC addresserating or
( moretraffic.
the BSSID) of the target network. In fact, your
dump could have collected traffic from different
Wireless Wardriving
Wireless Wardriving
Wireless Wardriving
a smart step could be to investigate sites customer). Besides, studying the tools and collect-
publishing WLANs, in order to discover if ing the traces is mandatory to discover possible
yours has been detected and cracked. attacks, for instance by recognizing unusual probes
2. Check for (almost weekly) security bulletins or excessive de-association requests.
(e.g., BugTraq). Gears are composed not
only by hardware, but also software (e.g., the do not rely on weak Passwords
firmware)thatcouldhavevulnerabilities.For
instance, one of the most famous was related As explained in previous section, bruteforcing
to an AP that upon receiving a broadcast a WLAN will be always possible. WEP makes
user datagram protocol (UDP) packet on bruteforcingtobeuselessowing ( toitsaws)
fl but
,
port 27155 containing the string “getsearch” WPA-PSK can be only exploited by using a dic-
returned (in clear) the WEP keys, the MAC tionary attack. Hence, the strength of your WLAN
filteringdatabaseandtheadminpassword depends on the a
( password. Use a good policy to
big prize, indeed). create and distribute passwords and change them
3. Periodically download and try the tools. It is often. Do not forget that hundreds of people col-
useful, funny, and gives an idea of the activity laborate to produce dictionaries with most popular
of the underground community. passwords, also the most disparate ones (and also
in leet variant – l33t v4r1aNt).
Avoid Default Configurations
(Always)
tools
Itiswidelyknownthatdefaultconfigurationsare
most of the time fine for normal users,NetStumbler but not (www.netstumbler.com): NetStum-
particularly tweaked for security. For instance, bler is a program for the Windows™ operating
in the Wireless power section we discussed some system allowing to detect WLANs. It is a quite
possible risks arising when too much transmis- handy tool for locating WLANs but it has not all
sion power is employed. Besides, another threat thefeaturesandtheexibility fl oftheAircrack-ng
relies in default names for the SSID, which can suite.
be employed to uncloak a hidden network, even if Kismet (www.kismetwireless.net): Kismet al-
without special tools. For instance, it is well known lowsmonitoringandsniffingtrafficoveraWLAN.
that many Cisco AP use “tsunami” as default SSID, In addition, it can also be adopted as an intrusion
and that Linksys uses “linksys.” Nevertheless, it is detection system. Kismet is able to identify net-
possible to retrieve them by performing a simple works both in active and passive mode. Besides,
Web search (moreover it is possible to retrieve it also offers many other features, such as BSSID
SSID naming schemas for hotels, retailers, and uncloaking. Kismet supports many wireless cards
popular Internet cafès…). Lastly, a good sugges- and many OSs, as well as many CPUs (e.g., x86,
tion is to change also the default password of your ARM, PPC, and X-Scale); however, some features
gear, since a malicious attacker (that normally is are only available on the Linux-x86 version.
not a wardriver, but a vandal) can try to alter the KisMAC (http://KisMAC.de/): KisMAC is
APconfiguration. the counterpart of Kismet, but it runs natively on
MacOSX and it is easy to use, owing to its simple
browse the source and use the tools GUI.
Aircrack-ng (http://www.aircrack-ng.org):
Owing to the availability of the tools, it is a better Aircrack-ng is a comprehensive suite of tools,
idea to try to be a wardriver sometimes, in order to ranging from analyzers, sniffers, and cracking
testyourownset-up,aswellastheconfiguration tools. Sources and scripts are available, promoting
made by your users (e.g., students, colleagues, or aircrack-ng as one of the best tools and a starting
Wireless Wardriving
Attack
Security
- Skills Needed WLAN Affected Countermeasures
Risk
Detected Anomaly
None. Automatically done in
SSID uncloack ALL 1 None at this level.
several software
point for developing automated (e.g., cron-drived) comprehensive table. In addition, we will also
or tweaked wardriving tools. introduce some “security risks” in order to better
calibrate the needed countermeasures. Security
riskshavebeenquantifiedonarangevaryingfrom
suMMAry tAblE About 0 (none) to 10 (severe). However, the more security
wArdrIvIng AttAcks is employed in the WLAN, the better. But, being
wardriving tightly mixed with people habits and
In this section, we summarize many security threats urban culture, the exposures to risks may vary
deriving from wardrivers’ activity, by offering a according where the WLAN is placed. Table 3
contains the summary.
Wireless Wardriving
In this chapter we introduced the concept of war- Active Mode: Active mode is an operative
driving, and practices related to cracking wireless mode where scanning is done via probe packets.
networks. As explained, cracking a WLAN is not As a consequence, the scanner does not remain
a complex task: then, for your security you should undetected.
rely on other techniques (e.g., RADIUS). In addi-
MAC Address Filtering: MAC address fil -
tion, by using examples, it is possible to produce
tering is a technique that allows/denies network
your own penetration tests, as well as exercises
accessesonlyforapredefinedMACaddress.
to show some real world attack to students and
engineers. MAC Spoofing:MACspoofingischangingthe
MAC of the L2 interface. Typically it is employed
toby-passMACaddressfiltering.
AcknowlEdgMEnt
Packet Injection: Packet injection is the activity
of inserting a packet in a network for some purpose.
The author wishes to thank Prof. Franco Davoli
For instance, when attacking a WEP-protected
for the technical suggestions and the thorough
network,tostimulatethetrafficproductiontog
review, and Eng. Sergio Bellisario for the techni-
more data to be analyzed.
cal review.
rfmon: rfmon is an operative mode of IEEE
802.11-based air interfaces, allowing to scan for
rEfErEncEs access points while remaining undetectable, since
the card does not send any probe packets.
Ferro, E., & Potortì, F. (2005, February). Bluetooth
Wardriving: Wardriving is the activity of “driv-
and Wi-Fi wireless protocols: A survey and a com-
ing around, looking for wireless networks.”
parison. IEEE Wireless Communications, 12-26.
Wired Equivalent Privacy (WEP): WEP is an
Newsham, T. (2003). Applying known techniques
encryptionmechanismwithmanysecurityaws. fl
to WEP keys. Retrieved December 12, 2006, from
Recognized as a real security issue, it has been
http://www.lava.net/~newsham/wlan/WEP_pass-
replaced by wireless protected access (WPA).
word_cracker.pdf
Pollard, D. (2002). Write here, Right now. Retrieved
December 12, 2006, from http://news.bbc.co.uk/1/ EndnotEs
hi/in_depth/sci_tech/2000/dot_life/2070176.stm
Schneier, B. (1996). Applied cryptography: Proto- 1
However, if raw frames are supported by the
cols, algorithms, and source code (2nd ed.). John internal chipset, you can always build your
Wiley & Sons. own tools and enabling drivers by investigat-
Shipley, P. M. (2000). Peter M. Shipley personal ing the data-sheets.
homepage. Retrieved December 12, 2006, from
2
ManyOSesorfirmwarecleartheARPcache
http://www.dis.org/shipley/ upon disconnection. Then, it could be useful
to use a more “aggressive” strategy, as sug-
gested in aircrack documentation.
Chapter VI
Intrusion and Anomaly
Detection in Wireless Networks
Amel Meddeb Makhlouf
University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga
University of the 7th of November at Carthage, Tunisia
AbstrAct
The broadcast nature of wireless networks and the mobility features created new kinds of intrusions and
anomaliestakingprofitofwirelessvulnerabilities.Becauseoftheradiolinksandth
features of wireless networks, wireless intrusions are more complex because they add to the intrusions
developed for wired networks, a large spectrum of complex attacks targeting wireless environment. These
intrusions include rogue or unauthorized accesspoint(AP)AP , MACspoofing,andwirelessdenialof
service and require adding new techniques and mechanisms to those approaches detecting intrusions
targeting wired networks. To face this challenge, some researchers focused on extending the deployed
approaches for wired networks while others worked to develop techniques suitable for detecting wireless
intrusions. The efforts have mainly addressed: (1) the development of theories to allow reasoning about
detection,wirelesscooperation,andresponsetoincidents;andthe (2) developmentofwir
and anomaly detection systems that incorporate wireless detection, preventive mechanisms and tolerance
functions. This chapter aims at discussing the major theories, models, and mechanisms developed for
the protection of wireless networks/systems against threats, intrusions, and anomalous behaviors. The
objectives of this chapter are to: (1) discuss security problems in a wireless environme
thecurrentresearchactivities;study (3) theimportantresultsalreadydevelopedbyr
discuss the validation methods proposed for the protection of wireless networks against attacks.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Intrusion and Anomaly Detection in Wireless Networks
canbelongtotwocategoriesofattacks. tion.The
Thefirst
seventh section discusses mechanisms
category targets the fixed part of the wireless
of prevention and tolerance provided to enhance
network,suchasMACspoofing,IPspoofing,and the wireless intrusion detection. Finally, the last
denial of service (DoS); and the second category section concludes the chapter.
of these attacks targets the radio part of the wire-
less network, such as the access point (AP) rogue,
noiseooding,
fl andwirelessnetworksniffing. The
vulnErAbIlItIEs, tHrEAts, And
latter attacks are more complex because they are AttAcks In wIrElEss nEtworks
hard to detect and to trace-back.
To detect such complex attacks, the WIDS To present vulnerabilities, threats, and attacks
deploys approaches and techniques provided targeting wireless networks, we have to discuss
by intrusion detection systems (IDS) protecting firstthesecurityrequirementsofwirelesssyste
wired networks. Among these approaches, one including those concerning security policy. This
can find the signature-based anomaly andbased section presents the concepts of wireless intrusion,
approaches.Thefirstapproachconsists - inmatch
anomaly, and attack scenario in wireless networks,
ing user’s patterns with stored attack’s patterns (or in order to highlight intrusion and anomaly detec-
signatures). The second approach aims at detect- tion requirements. In particular, it discusses some
ing any deviation of the “normal” behavior of the attacksandattackclassificationthatmakesec
network entities. The deployment of the afore- in wireless systems very special.
mentioned approaches in a wireless environment
requiressomemodifications.Thesignature- securitybasedrequirements in wireless
approach in wireless networks may require the
Environments
use of a knowledge base containing the wireless
attack signatures while an anomaly based ap-
Securing a communication channel should satisfy
proachrequiresthedefinitionofprofilesspecificto
at least the following set of requirements: integ-
wireless entities (mobile users and AP). Recently,
rity, confidentiality, and availability. Moreover
efforts have focused on wireless intrusion detec-
wireless communications require authentication
tiontoincreasetheefficiencyofWIDS.Basedon
of the sender or/and the receiver and techniques
these efforts, models and architectures have been
that guarantee non-repudiation. In the following,
discussed in several research works.
we discuss technical security and security policy
The objective of this chapter is to discuss the
requirements which help reducing vulnerabilities
major research developments in wireless intru-
and attack damages.
sion detection techniques, models, and proposed
Because of their technical architecture, mobile
architectures. Mainly, the chapter will: (1) discuss
communications are targets for a large set of threats
security problems in wireless environments;
and attacks that occur in wired networks, such as
(2) present current research activities; (3) study
identity spoofing, authorization violations, da
important results already developed; and (4)
loss, modified and falsified data units, - and repu
discuss validation methods proposed for WIDS.
diation of communication processes. Additionally,
The remaining part is organized as follows: The
new security requirements and additional measures
next section discusses vulnerabilities, threats, and
for wireless networks have to be added to the se-
attacks in wireless networks. The third section
curity requirements of wired networks (Schäfer,
presents wireless intrusion and anomaly detection
2003). Vulnerabilities, threats, and attacks, existing
approaches. The fourth section introduces models
in wireless networks represent a greater potential
proposedfordetectingwirelessintrusions.Thefifth
risk for wireless networks. One among technical
section presents WIDS architectures, proposed by
requirements is the enforcement of security of
researches papers. The sixth section presents the
the wireless links, because of the ease of gaining
wireless distributed schemes for intrusion detec-
directphysicalaccesses.Moreover,newdifficulties
Intrusion and Anomaly Detection in Wireless Networks
can arise in providing wireless security services. given perimeter. Consequently, the AP’s
For example, the authentication of a mobile de- placement and signal strength have to be
vicehastobeverifiedbyor ( for)allAPor ( base
adapted to make sure that the transmitting
station [BS]) under which the mobile changes its coverage is just enough to cover the correct
localization. Because of the handover, respective area.
entities cannot be determined in advance, so the key • Physical security of an authorized AP:
management process is more complicated. Also, Because most APs are mounted by default,
the difference with wired networks, in terms of their placement is critical. An AP has to be
confidentialityofmobiledevicelocation,correctly reveals a in order to avoid accidental
placed
number of threats against mobile communications. damage, such as direct access to the physical
This appears because of the following conflnetwork ict: cable. To protect physically the ac-
In one hand, each mobile should be reachable for cess to the AP, many solutions were proposed;
incoming communication requests while, on the but all of them require a mandatory policy.
other hand, any network entity should be able to • Rogue AP: This vulnerability is a sort of man-
get the current location of a mobile device in the in-the middle attack, where an attacker can
network (Schäfer, 2003). place an unauthorized (or rogue) AP on the
networkandconfigureittolooklegitimateto
wireless vulnerabilities and threats gain access to wireless user’s sensitive data.
This can be done because user’s devices need
A vulnerability is a weakness (or fault) in the to be connected to the strongest available AP
communication medium or a protocol that al- signal.
lows compromising the security of the network • The easy installation and use of an AP: In
component. Most of the existing vulnerabilities in order to use the advantages of internal net-
the wireless medium are caused by the medium. works, employees can introduce an unauthor-
Because transmissions are broadcast, they are ized wireless network. The easy installation
easily available to anyone who has the appropri- andconfigurationoftheAPmakethisfeasible
ate equipment. Particular threats of the wireless for legitimate or illegitimate users.
communication are device theft, malicious hacker, • The AP configuration: If the AP is poorly
malicious code, theft of service, and espionage configuredorunauthorized,then - itcanpro
(Boncella, 2006). There are numerous of wire- vide an open door to hackers. This is caused
less vulnerabilities and threats that are studied in by using a default configuration - that anni
the literature, for the purpose of detecting attacks hilates the security controls and encryption
exploiting them. In the following, we distinguish mechanisms.
two categories of vulnerabilities and threats: those • Protocol weaknesses and capacity limits
existing in a LAN-like wireless networks (WLAN) on authorized AP’s: These limitations can
and those existing in cellular-like wireless networks cause DoS from hackers using unauthorized
(Hutchison, 2004). AP’s when they can ood fl authorized AP
with traffic forcing them to reboot or deny
WLAN Vulnerabilities and Threats accesses.
The following are typical vulnerabilities existing in Some of the attacks, exploiting the aforemen-
the main component of WLAN, which is the AP. tioned vulnerabilities are discussed in the following
section of this chapter.
• Signal range of an authorized AP: This
vulnerability is about the possibility of the
extension of AP signal strength beyond a
0
Intrusion and Anomaly Detection in Wireless Networks
Detecting a large set of attacks by a WIDS requires • Probing and network discovery: This attack
studying and developing the attacker’s methods aims to identify various wireless targets. It
and strategies. We discuss in this subsection the uses two forms of probing: active and passive.
typical attacks and malicious events that can be Active probing involves the attacker actively
detected by a WIDS (Hiltunen, 2004; Vladimirov, sendingproberequestswithnoidentificatio
Gavrilenko, & Mikhailovsky, 2004). usingtheSSIDconfiguredinordertosolicit
a probe response with SSID information and
Intrusion and Anomaly Detection in Wireless Networks
other information from any active AP. When down to create a “difficult to connect” scenario.
an attacker uses passive probing, he is listen- Second, the attacker must setup an alternate rogue
ing on all channels for all wireless packets, AP with the same credentials as the original for
thus the detection capability is not limited purposes of allowing the client to connect to it. Two
by the transmission power (Low, 2005). main forms of the MITM exist: the eavesdropping
• Inspection: The attacker can inspect network and manipulation. Eavesdropping can be done by
information using tools like Kismet and receiving radio waves on the wireless network,
Airodump (Low, 2005). He could identify which may require sensitive antenna. Manipula-
MAC addresses, IP address ranges, and tion requires not only having the ability to receive
gateways. the victim’s data but then be able to retransmit the
data after changing it.
Wireless Spoofing
Denial of Service Attacks
Spoofing purpose is to modify identification - pa
rameters in data packets. New values of selected DoS attacks can target different network layers as
parameters can be collected by sniffing. Typical
explained in the following:
spoofingattacksinclude:
• Application layer: DoS occurs when a large
• MAC address spoofing:MACspoofingaims
amount of legitimate requests are sent. It
at changing the attacker’s MAC address by
aims to prevent other users from accessing
the legitimate MAC address. This attack is
the service by forcing the server to respond
made easy to launch because some client-side
to a large number of request’s transactions.
software allows the user to view their MAC
• Transport layer: DoS is performed when
addresses.
many connection requests are sent. It targets
• IP spoofing:IPspoofingattemptstochange
the operating system of the victim’s computer.
source or destination IP addresses by talking
Thetypicalattackinthiscase-isaSYNood fl
directly with the network device. IP spoof-
ing.
ing is used by many attacks. For example,
• Network layer: DoS succeeds, if the network
an attacker can spoof the IP address of host
allows to associate clients. In this case, an
A by sending a spoofed packet to host B an-
attacker can ood fl the network with traffic
nouncing the window size equal to 0; though,
to deny access to other devices. This attack
it originated from B (Mateli, 2006).
could consist of the following tasks:
• Frame spoofing: The attacker injects frames
The malicious node participates in a
havingthespecification
1 2. 0 8 withspoofed
route but simply drops several data
containing. Due to the lack of authentication,
packets. This causes the deterioration of
spoofed frames cannot be detected.
the connection (Gupta, Krishnamurthy,
& Faloutsos, 2002).
Man in the Middle Attacks The malicious node transmits falsified
route updates or replays stale updates.
This attack attempts to insert the attacker in the These might cause route failures thereby
middle (man in the middle [MITM]) of a communi- deteriorating performance.
cation for purposes of intercepting client’s data and The malicious node reduces the time-
modifying them before discarding them or sending to-live (TTL) field in the IP header so
them out to the real destination. To perform this that packets never reach destinations.
attack, two steps have to be accomplished. First, the • Data link layer: DoS targeting the link layer
legitimate AP serving the client must be brought can be performed as follows:
Intrusion and Anomaly Detection in Wireless Networks
Since we assume that there is a single on using in the same system the two approaches
channel that is reused, keeping the simultaneously. To be efficient, intrusion - detec
channel busy in the node leads to a DoS tion approaches has to be run online and in real
attack at that node. time. Otherwise, the use of intrusion detection
By using a particular node to continually technique is useful for audit or postmortem digital
relay spurious data, the battery life of investigation and it will not prevent an attack on
that node may be drained. An end-to-end time. Real-time intrusion detection has to be able
authentication may prevent these attacks to collect data from the network in order to store,
from being launched. analyze and correlate them, which can decrease
• Physical layer: This kind of DoS can be network performance (Hutchison, 2004).
executed by emitting a very strong RF inter-
ference on the operating channel. This will wireless detection Approaches
cause interference to all wireless networks
that are operating at or near that channel. The main objective of wireless detection is to pro-
tect the wireless network by detecting any deviation
with respect to the security policy. This can be done
wIrElEss IntrusIon And by monitoring the active components of the wire-
AnoMAly dEtEctIon less network, such as the APs (Hutchison, 2004).
Generally, the WIDS is designed to monitor and
This section discusses the major security solutions report on network activities between communicat-
provided for wireless networks. In particular, the ing devices. To do this, the WIDS has to capture
cases of WLAN and ad hoc networks will be ad- anddecodewirelessnetworktraffic.Whilesome
dressed. The discussed methods include the radio WIDSs can only capture and store wireless traf-
frequencyfingerprinting,cluster-based fic,detection,
otherWIDSscananalyzetrafficandgenerate
mobile devices monitoring, and mobile profile reports. Other WIDSs are able to analyze signal
construction. fingerprints,whichcanbeusefulindetectingand
tracking rogue AP attack. As it is done for wired
basic techniques for detection networks,thefollowingclassificationsofIDSscan
be distinguished according to several dimensions:
Wireless intrusion detection protects wireless the approach (signature based/anomaly based); the
networks against attacks, by monitoring monitoredtraffic
system (network-based/host-based); and
and generating alerts. Two ways of detection are the way of response (active/passive).
distinguished: signature based and anomaly based.
Thefirstcategoryaimsatdetectingknown Mobile Profiles Construction
attacks
by looking for their signatures. The main disad-
vantage of such approaches is that they detect only The main objectives when using the anomaly
known attacks. The anomaly based approaches are basedapproacharetodefineusermobilityprofiles
not often implemented, mostly because of the high (UMPs) and design an appropriate system that
amount of false alarms that have to be managed permits the detection of any deviation with respect
loosing a large amount of time. Anomaly based to UMP. The intrusion detection process begins
detection develops a baseline of the way of con- with the data collection processing. Once the user
sideringnormaltraffic.Whenanabnormal traffic
location coordinates (LCs) are determined, a high-
is detected, an alert is generated. The advantage level mapping (HLM) is applied. The objective
of such approach is that it can capture unknown of the HLM is to decrease the granularity of the
attacks. data in order to accommodate minor deviations or
To take from the advantages of the previous intra-user variability between successive location
two approaches, the hybrid approach consists broadcasts. LCs features are extracted from each
Intrusion and Anomaly Detection in Wireless Networks
broadcast during feature extraction. A set of these client within this list trying to access the
chronologically ordered LCs are subsequently network would be automatically denied and
concatenatedtodefineamobilitysequence (Hall,
an alert can be sent off.
Barbeau, & Kranakis, 2005). This process contin- • All wireless clients with an “illegal” MAC
ues until the creation of the mobility sequences. address (MAC address ranges, which have
Thetrainingpatternsfromthefirstfourof notthe
beensix
allocated) are automatically denied
data set partitions are stored in the UMP, along with access and an alert is sent off.
otheruser-relatedinformation.During - • the classifi
A wireless client that just sends out probe re-
cation phase, a set of user mobility sequences are quests or special distinguishable data packets
observed and compared to the training patterns in after the initial probe request has not been
theuser’sprofiletoevaluatethesimilarity measure
authenticated canbeagged
fl outaspotential
to profileSMP) ( parameter. If the average of the network discovery attack.
SMPvalueexceedspredefinedthresholds, • then the
Usually, when impersonation attacks are on-
mobility sequences are considered abnormal and going, the attacker will take on the MAC/IP
an alert is generated (Hall et al., 2005). address of the victim, but it will not be able
The following parameters are defined for tothe
continue with the SN used previously by
mobility profiles: ) 1 ( the identifier representing the victim. Thus, by monitoring the SN in
the user identification; ) 2 ( the training patterns these packets, potential impersonators could
characterizing the user mobility behavior; (3) the beidentified.
window size representing the mobility sequence
numbers (SN). Radio Frequency Fingerprinting (RFF)
Intrusion and Anomaly Detection in Wireless Networks
Intrusion and Anomaly Detection in Wireless Networks
special type of node, called the cluster head (CH) performs its own audit and analysis; however, it
to monitor traffic within its cluster. It not
performs only
partial analysis immediately after becom-
manages its own cluster, but also communicates ing a CH or MN. Intrusion detection techniques
with other clusters for cooperative detection can be anomaly based or signature based.
and response. It maintains information of every The host-based IDS (HIDS) observes traffic
member node (MN) and neighbor clusters. The at individual hosts, while network-based IDS
cluster management responsibility is rotated (NIDS) are often located at various points along
among the cluster members for load balancing and the network. Since centralized audit points are not
fault tolerance and must be fair and secure. This available in ad hoc networks, NIDSs cannot be used.
can be achieved by conducting regular elections Alternatively, if every host starts monitoring intru-
(Samad et al., 2005). Every node in the cluster sions individually such as in HIDS, lot of memory
must participate in the election process by casting and processing will be involved. Therefore, a dis-
their vote showing their willingness to become the tributed approach is used to perform monitoring,
CH. The node showing the highest willingness, by where both CH and MN collect audit data.
proving the set of criteria, becomes the CH until Aow
fl modelofintrusiondetectionarchitecture
the next timeout period. of cluster-based intrusion detection (CBID) is illus-
trated by Figure 2, which consists of four modules.
Intrusion Detection Architecture Information collected during the training phase in
the logging module is transferred to the intrusion
Because ad hoc networks lack in centralized audit information module to perceive a threshold value
points, it is necessary to use the IDS in a distributed for the normal traffic. If it is the case, an alert is
manner. This also helps reducing computation generated by the intrusion response module.
and memory overhead on nodes. The proposed
clustering algorithm in Samad et al. (2005) can • Logging: The CH captures and logs all the
be related to the intrusion detection process as traffic transferred through its radio range
partialanalysisoftheincomingtrafficisIt keeps
done at the necessary fields and the data
the CH and the rest of the analysis is done at the related to trafficsuchas number of packets
destination node. Traffic analysis at thesent, CH andreceived, forwarded, or dropped in a
packet analysis at the MN is helpful in reducing database.Thetrafficcaneitherbedatatraffic
processing at each node. If a malicious activity orcontroltraffic.Theselogscanbehelpful
is found by the CH, it informs its members and for the detection of many attacks, such as
the neighboring clusters to take a set of actions. blackhole, wormhole, sleep deprivation,
It is the responsibility of CH to obtain help from maliciousooding,fl packetdropping,andso
and/or inform the MNs and neighboring clusters forth.
for a particular intrusion. Undecided node (UD) • Intrusion information: If signature-based
detection is used, every node must maintain
Intrusion and Anomaly Detection in Wireless Networks
a database that contains all the intrusion MANET nodes have WAN connectivity,
signatures. For anomaly based detection, the node can initiate download requests to
the anomalous behaviors must also be well obtain the latest model from the server; and
defined. (2) without WAN connectivity, MANET
• Intrusion detection: By this module, the nodes can be initialized before deployment,
node detects intrusions by analyzing and where the default model is used.
comparingthetrafficpatternswith • the normal
Another model consists in deploying a more
behavior. If anomaly is found, the CH gener- powerful MANET node with sufficient
ates an alarm and increases the monitoring processing and battery power to perform
levelandanalyzesthetrafficinmoredetail anomaly training. The node would listen
tofindouttheattacktypeandidentity ofthe
promiscuously to all visible traffics on the
attacker. MANET, generate anomalies, and distribute
• Intrusion response: To inform about de- them to the peers.
tected intrusions, nodes generate alerts. They • Use a pre-computed anomaly model. This
also can provide responses to react against scenario is worst case, but can be practical
them. in situations where the MANET’s behavior is
well-definedandfollowsastandardprotocol
definition.
dEtEctIon ModEls
Model Aggregation/Profiling
To enhance IDS efficiency, theories and models
have been developed to cope with intrusion cor- The aggregation model was previously used in
relation; action tracking and packet marking; digital MANETs for alerts demonstrated that, by integrat-
investigation using evidences based on alerts; and ing security-related information at the protocol
attack reconstruction in wireless environments. level from a wider area, the false positive rate
Theevidenceisdefinedasasetofrelevant - informa
and the detection rate can be improved (Cretu et
tion about the network state (Aime, Calandriello, al., 2006).
& Lioy, 2006). In addition, model aggregation enables peers
to determine whether or not to communicate with
Intrusion and Anomaly detection a particular node n1. If the peers’ models are very
Model Exchange similar to those used by n1, it suggests that the
node is performing similar tasks. A node with a
This section discusses the anomaly model used dissimilar model is considered as suspicious and
in mobile ad hoc networks (MANET). It is based has a malicious content. For example, a node send-
onthemodeldistributionandmodelprofiling ing out wormand
packets will generate a substantially
aggregation. different content distribution. This can be done via
comparison (Cretu et al., 2006).
Model Distribution
Anomaly based detection Models
Due to the lack of battery power or computation
ability, MANET’s model is required. Depending on In this section, we discuss how to build anomaly
the node location performing intrusion detection, detection models for wireless networks. Detection
the following distribution models can be adopted based on different kinds of activities may differ in
(Cretu, Parekh, Wang, & Stolfo, 2006): the format and the amount of available audit data
as well as the modeling algorithms. However, we
• In the case of generating anomalies, training admit that the principle behind the approaches will
can be done by MANET nodes: (1) if the be the same. Therefore, we discuss in this section
Intrusion and Anomaly Detection in Wireless Networks
only one of these approaches, which is based on a (PCH), and the percentage of newly added routes
routing protocol (Zhang, Lee, & Huang, 2003): (Zhang et al., 2003). These measurements are used
because of the dynamic nature of mobile networks.
Building an Anomaly Detection Model Thenormalprofileonthetracedataspecifiesthe
correlation of physical movements of the node and
This method uses information-theoretic measures, the changes in the routing table.
namely, entropy and conditional entropy, to de- ClassificationrulesforPCRandPCHdescribe
scribenormalinformationows fl anduse - classifica
normal conditions of the routing table. These rules
tion algorithms to build anomaly detection models. can be used as normal profiles. Checking - an ob
Whenconstructingaclassifier,featureswithhigh served trace data record with the profile invol
information gain or reduced entropy are needed. applying the classification rules to the recor
Therefore, a classifier needs featureTherefore, value tests repeated trials may be needed before a
to partition the original dataset into low entropy good anomaly detection model is produced.
subsets. Using this framework, the following pro-
cedure for anomaly detection is applied (Zhang et Detecting Abnormal Activities in Other
al., 2003): (1) select audit data so that the normal Layers
dataset has low entropy; (2) perform appropriate
data transformation according to the entropy mea- Detecting anomalies for other entities of the wire-
sures;compute
) 3( classifierusingtraining data;
less )4 (
networks such as MAC protocols, or entities
applytheclassifiertotestdata;andpost- )5 ( provided
process
by the network (applications and services)
alarms to produce intrusion reports. follows a similar approach as in the physical layer.
For example, the trace data for MAC protocols can
Detecting Abnormal Updates to Routing contain the following features: for the past s sec-
Tables onds, the total number of channel requests, the total
number of nodes making the requests, the largest,
The main requirement of an anomaly detection the mean, and the smallest of all the requests. The
model used by IDSs is a low false positive rate, class can be the range of the current requests by a
calculated as the percentage of legitimate behavior node.Aclassifieronthistracedatadescribesth
variations detected as anomalies. Since the main normal context of a request. An anomaly detec-
concern for ad hoc routing protocols is that the false tionmodelcanthenbecomputed,asaclassifieror
routing information generated by a compromised clusters, from the deviation data. Similarly, at the
node will be disseminated to and used by the other mobile application layer, the trace data can use the
nodes, the trace data can be designed for each node. service as the class (Zhang et al., 2003).
A routing table contains, at the minimum, the next
hop and the distance in hop number. A legitimate
change in the routing table can be caused by the wIrElEss IntrusIon dEtEctIon
physical node movement or network membership systEM ArcHItEcturEs
changes. For a node, its own movement and the
change in its own routing table are the only reli- This section discusses the proposed models,
able and trustable information. Hence, used data architectures, and methods to validate the used
exist on the node’s physical movements and the approaches.
corresponding change in its routing table as the
basis of the trace data. The physical movement is wireless Intrusion tracking system
measured mainly by distance and velocity. The
routing table change is measured mainly by the The wireless intrusion tracking system (WITS)
percentage of changed routes (PCR), the percent- deploys the Linksys WRT54G AP, Linux and other
age of changes in the sum of hops of all the routes open source tools in order to track wireless intruders
Intrusion and Anomaly Detection in Wireless Networks
in a wireless cell. A WITS is designed to minimize and intelligent routing of intrusion data throughout
the effect of the attacks against wireless networks. the network.
It combines technologies to produce a system that
allows real-time tracking of intruders and extensive Modular IDS Architecture
forensic data gathering (Valli, 2004).
The proposed IDS is built on a mobile agent
• Sacrificial access points (SAP): WITS uses
framework. It employs several sensor types that
the concept of SAPs, which acts as a wireless
performspecificfunctions,suchas:
honeypot and forensic logging device. The
used SAP has conventional wired Ethernet
• Network monitoring: Only certain nodes
capability. Its functionality is severely limited
will have sensor agents for network monitor-
for deployment as a honeypot device. How-
ing, in order to preserve the total computa-
ever, it permits the installation of customized
tional power and the battery power of mobile
firmware, which allows the reduction of
hosts.
installed facilities used as part of the routing
• Host monitoring: Every node on the ad
and AP functionality for the WRT54G. The
hoc network will be monitored internally
firmwarecanbeupgradedtopatchanynew
by a host-monitoring agent. This includes
vulnerabilities or weaknesses. To be success-
monitoring system-level and application-level
ful, the system must retain large, extensive
operations.
and multiple log files that contain system
• Decision-making: Every node will decide
statisticsandsufficientnetworkrelateddata
on the intrusion threat level on a host-level
forforensicreconstructionofanytraffic.The
basis. Specific nodes will collect intrusion
used data are data located in honeypot log
information and make collective decisions
files,snortdata,anddataprovidedbytraffic
about intrusion level.
analysis.Thedatainhoneypotlogfileswill
• Reacting: Every node can react in order to
indicate the level of probing and malicious
protect the host against detected attacks.
activity.Trafficanalysisprovidesanextensive
Reactionscanbepredefinedatthatnode.
analysis of the intruder activity.
• Tracking the intruder: Wireless intruders
have the ability to be mobile and are not con- To minimize power consumption and IDS-re-
strained to use predefined channels, which time, the IDS must be distributed.
lated processing
make them difficult to track. Furthermore, A hierarchy of agents can be used to this end. A
wireless attackers can manipulate layer 1 and hierarchy of agents is composed of three agent
layer 2 of the OSI model to mask activities classes, which are the monitoring agents, decision-
and subsequent detection. WITS uses GPS making agents, and action agents. Some are present
techniques to locate and track intruders on all mobile hosts, while others are distributed
within the wireless cell. The resultant GPS to only selected nodes (Kachirski & Guha, 2003).
data will be stored for later analysis or used Cluster heads, for example, are the typical nodes
by an immediate location process of the at- implementing the monitoring agents. The node
tacking device. selection is naturally dependent on the security
requirements imposed to the mobile nodes.
Agent-based Ids for Ad Hoc wireless
networks Intrusion Response
This section introduces a multi-sensor IDS that The nature of an intrusion response for ad hoc
employs a cooperative detection algorithm. A networks depends on the intrusion type and
mobile agent implementation is chosen to support the network protocols and applications types.
the wireless IDS features such as sensor mobility Examples of responses can be:
Intrusion and Anomaly Detection in Wireless Networks
0
Intrusion and Anomaly Detection in Wireless Networks
Intrusion and Anomaly Detection in Wireless Networks
(destination, source, and immediate sender). Barbeau, M., Hall, J., & Kranakis, E. (2006, Octo-
ber 4-6). Detection of rogue devices in Bluetooth
Destination is the node ID of the destina- networks using radio frequency fingerprinting.
tion node, source is the node ID of the nodeIn Proceedings of the 3rd IASTED International
that created this data packet, and immediateConference on Communications and Computer
Networks. Lima, Peru.
sender is the ID of the node that just forwarded
this packet. Once the data packet is received,
Boncella, R. J. (2006). Wireless threats and attacks.
a node searches for a matching entry in its
In H. Bidgoli (Ed.), Handbook of information se-
forwarding table. If it finds a match, then
curity (pp. 165-175). John Wiley & Sons.
it forwards the data packet (Deng et al.,
2005). Cretu, G. F., Parekh, J. J., Wang, K., & Stolfo, S.
J. (2006, January 10-12). Intrusion and anomaly
detection model exchange for mobile ad-hoc net-
conclusIon works. In The third IEEE Consumer Communica-
tions & Networking Conference (CCNC).
We have shown in this chapter that WIDSs have an
Deng, J., Han, R., & Mishra, S. (2003, May).
important role in securing the network by protect-
INSENS: Intrusion-tolerant routing in wireless
ing its entities against intrusions and misuse. The
sensor networks. In The 23rd IEEE International
protection is performed based on models capable
Conference on Distributed Computing Systems
of providing a framework for the description and
(ICDCS). Providence.
correlation of attacks. Research works have focused
on the development of techniques, approaches, Deng, J., Han, R., & Mishra, S. (2004, June 28-
and mechanisms, and WIDS architectures. Archi- JulyIntrusion
.) 1 toleranceandanti-trafficanalysis
tectures include radio frequency fingerprinting, strategies for wireless sensor networks. In Pro-
cluster-based detection, mobile devices monitoring, ceedings of the 2004 International Conference
and mobile profile construction. Wireless - intruSystems and Networks (DSN’04)
on Dependable
sion prevention and tolerance are also discussed (pp. 637- 646). Italy.
in this chapter; and systems such as INSENS are
developed. In addition, we have shown that several Deng, J., Han, R., & Mishra, S. (2005). INSENS:
challenges need to be addressed to enhance the Intrusion-tolerant routing for wireless sensor net-
efficiencyofWIDSs. works. [Special issue]. Computer Communications
Journal,9(2 2), 216-230.
Farshchi, J. (2003). Wireless policy development
rEfErEncEs (part 1 & 2), Security focus. Retrieved from
http://www.securityfocus.com/print/infocus/1732
Ahmed, E., Samad, K., & Mahmood, W. (2006). Retrieved from http://www.securityfocus.com/
Cluster-based intrusion detection (CBID) architec-print/infocus/1735
ture for mobile ad hoc networks. In Proceedings
ofAusCERTAsiaPacificInformationTechnology Gupta, V., Krishnamurthy, S., & Faloutsos, M.
Security Conference (AusCERT), Asia. (2002, October). Denial of service attacks at the
MAC layer in wireless ad hoc networks. Anaheim,
Aime, M. D., Calandriello, G., & Lioy, A. (2006, CA: MILCOM—Network Security.
June 26-29). A wireless distributed intrusion
detection system and a new attack model. In Pro- Hall, J., Barbeau, M., & Kranakis, E. (2005, Fe-
th
ceeding of the 11 Symposium in Computers and bruary 3-4). Usingmobilityprofilesforanomaly-
Communications (pp. 35- 40). Italy. based intrusion detection in mobile networks.
Paper presented at the 12th Annual Network and
Intrusion and Anomaly Detection in Wireless Networks
Distributed System Security Symposium, San Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Diego, CA. detection techniques for mobile wireless networks.
WirelessNetworksJournal, 9
(5), 545-556.
Hutchison, K. (2004). Wireless intrusion detec-
tion systems. Retrieved October 18, 2004 from
http://www.sans.org/reading_room/whitepapers/ kEy tErMs
wireless/
Kachirski, O., & Guha, R. (2003, January 6-9). Ef- Access Point (AP): Access point in the base
fective intrusion detection using multiple sensors station in a wireless LAN. APs are typically stand-
in wireless ad hoc networks. In Proceedings of the alone devices that plug into an Ethernet hub or
63 th Hawaii International Conference on System switch. Like a cellular phone system, users can
Sciences (HICSS’03). Hawaii. roam around with their mobile devices and be
handed off from one AP to the other.
Low, C. (2005). Understanding wireless attacks &
detection. Retrieved April 2005, from http://www. Ad Hoc Networks: Ad hoc networks are local
hackerscenter.com/public/Library/782_wireat- area networks or other small networks, especially
tacks.pdf ones with wireless or temporary plug-in connec-
tions, in which some of the network devices are
Mateli, P. (2006). Hacking techniques in wireless
part of the network only for the duration of a com-
networks. In H. Bidgoli (Ed.), Handbook of infor-
munications session or, in the case of mobile or
mation security (pp. 83-93). John Wiley& Sons.
portable devices, while in some close proximity
Nichols, R. K., & Lekkas, P. C. (2002). Telephone to the rest of the network.
system vulnerabilities. McGraw-Hill.
Intrusion Prevention System (IPS): IPS is the
Phifer, L. (2006). Wireless attacks, A to Z. Retrieved software that prevents an attack on a network or
April 10, 2006, from http://searchsecurity.techtar- computersystem.AnIPSisasignificant - stepbe
get.com/generic/0,295582,sid14_gci1167611,00. yond an intrusion detection system (IDS), because
html it stops the attack from damaging or retrieving
data.Whereas,anIDSpassivelymonitorstraffic
Samad, K., Ahmed, E., & Mahmood, W. (2005, bysniffingpacketsoffaswitchport,anIPSresides
September 15-17). Simplifiedclusteringapproach inlinelikeafirewall,interceptingandforwardin
for intrusion detection in mobile ad hoc networks. packets. It can thus block attacks in real time.
In 13th International Conference on Software,
Telecommunications and Computer Networks Intrusion Tolerance: Intrusion tolerance is
SoftCOM
( . ) 502 Split, Croatia. the ability to continue delivering a service when
an intrusion occurs.
Schäfer, G. (2003). Securityinfixedandwireless
networks, An introduction to securing data commu- Wireless Attack: A wireless attack is a mali-
nications. John Wiley and Sons. cious action against wireless system information
or wireless networks; examples can be denial of
Valli, C. (2004, June 28-29). WITS—Wireless in- service attacks, penetration, and sabotage.
trusion tracking system. 3rd European Conference
on Information Warfare and Security. UK. Wireless Intrusion Detection System
(WIDS): The WIDS is the software that detects
Vladimirov, A. A., Gavrilenko, K. V., & Mikhai- an attack on a wireless network or wireless system.
lovsky, A. A. (2004). Counterintelligence: Wireless A network IDS (NIDS) is designed to support
IDS systems. In WI-Foo: The secrets of wireless multiple hosts, whereas a host IDS (HIDS) is set
hacking (pp. 435-456). Pearson/Addison-Wesley. up to detect illegal actions within the host. Most
Intrusion and Anomaly Detection in Wireless Networks
Chapter VII
Peer-to-Peer (P2P)
Network Security:
Firewall Issues
Lu Yan
University College London, UK
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
P2P Network Security
Figure1.Problemdefinition
in the formalism. An action system is an iterative will in turn announce to all its neighbors C, D,
composition of actions. The action systems frame- E, and F that A is alive. Those computers will
workisusedasaspecificationlanguagerecursively andforthe continue this pattern and announce
correct development of distributed systems. to their neighbors that computer A is alive. Once
Object-oriented (OO)-action system is an ex- computer A has announced that it is alive to the
tension to the action system framework with OO rest of the members of the P2P network, it can
support.AnOO-actionsystemconsistsof afinite
then search the contents of the shared directories
set of classes, each class specifying the behavior of of the P2P network.
objects that are dynamically created and executed Search requests are transmitted over the
in parallel. The formal nature of OO-action systems Gnutella network in a decentralized manner. One
makes it a good tool to build reliable and robust computer sends a search request to its neighbors,
systems. Meanwhile, the OO aspect of OO-action which in turn pass that request along to their neigh-
systems helps to build systems in an extendable bors, and so on. Figure 2 illustrates this model. The
way, which will generally ease and accelerate search request from computer A will be transmitted
the design and implementation of new services to all members of the P2P network, starting with
or functionalities. Furthermore, the final set
computer B, thenofto C, D, E, F, which will in turn
classes in the OO-action system specification is to their neighbors, and so forth.
send the request
easy to be implemented in popular OO languages If one of the computers in the P2P network, for
like Java, C++ or C#. example, computer F, has a match, it transmits the
In this chapter, however, we skip the details of fileinformationname, ( location,etc.back ) through
semantics of action systems (Back & Sere, 1996) all the computers in the pathway towards A (via
and its OO extension (Bonsangue, Kok, & Sere, computer B in this case). Computer A will then
1998). be able to open a direct connection with computer
F and will be able to download that file directly
from computer F.
gnutEllA nEtwork
P2P Network Security
P2P Network Security
Figure3.Unidirectionalfirewall
where on the higher level, we have components Push request, and filename is the requested file
of a new router information. In this way, the initial TCP/IP connec-
tion becomes an outbound one, which is allowed
{<Router, R>, <PingPongRouter, Rc>, <Que- by unidirectional firewalls. Receiving the HTTP
ryRouter, Rl>, <PushRouter, Rf>}. GIV request, the target servent should extract
therequestIPandfilenameinformation,andthen
A servent can request a file push byconstruct routing an HTTP GET request with the above
a Push request back to the servent that sent the information.Afterthat,thefiledownloadprocess
QueryHitdescriptordescribingthetarget file.The to the normal file download proces
is identical
servent that is the target of the Push request should, withoutfirewalls.Wesummarizethesequenceof
upon receipt of the Push descriptor, attempt to es- a Push session in Figure 5.
tablish a new TCP/IP connection to the requesting
servent.Asspecifiedintherefinedfilerepositoryin
Table 2, when the direct connection is established, Port-blockIng fIrEwAlls
thefirewalledserventshouldimmediatelysenda
HTTP GIV request with requestIP, filename and In corporate networks, other kinds of common
destinationIP information, where requestIP and firewalls are port-blocking firewalls, - which usu
destinationIP are IP address information of the ally do not grant long-time and trusted privileges
firewalled servent and the target servent to ports andfor the other than port 80 and
protocols
P2P Network Security
P2P Network Security
Figure5.Sequencediagramofapushsession
00
P2P Network Security
Table2.Specificationoffilerepository Figure7.Refinedarchitectureofservent
Figure6.Firewallarchitectureandextendablesocket
0
P2P Network Security
0
P2P Network Security
0
0
Chapter VIII
Identity Management for
Wireless Service Access
Mohammad M. R. Chowdhury
University Graduate Center – UniK, Norway
Josef Noll
University Graduate Center – UniK, Norway
AbstrAct
Ubiquitous access and pervasive computing concept is almost intrinsically tied to wireless communica-
tions. Emerging next-generation wireless networks enable innovative service access in every situation.
Apart from many remote services, proximity services will also be widely available. People currently rely
on numerous forms of identities to access these services. The inconvenience of possessing and using these
identitiescreatessignificantsecurityvulnerability,especiallyfromnetworkandd
wireless service access. After explaining the current identity solutions scenarios, the chapter illustrates
the on-going efforts by various organizations, the requirements and frameworks to develop an innovative,
easy-to-use identity management mechanism to access the future diverse service worlds. The chapter
also conveys various possibilities, challenges, and research questions evolving in these areas.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Identity Management
0
Identity Management
device is often used to store his/her identity in- In general, common identity deployment archi-
formation. To protect unauthorized service access, tecturescanbebroadlyclassifiedintothreetyp
users also need to be authenticated before accessing Silo, Walled Garden, and Federation (Altmann &
such devices. It is evident that a user is burdened Sampath, 2006, p. 496). Current identity manage-
with too many identities to access many remote ment in the service world is mostly silo-based.
and proximity services. An integrated approach is Silo is a simple architecture, which requires each
required to manage all those identities to access service provider to maintain a unique ID for each
all these services. user. This approach is simpler from a service
Wireless service access results in more com- provider’s point of view but it is not only labori-
plexity to manage identities prior to accessing the ous but also problematic for the user. Moreover,
services. Besides device authentications, users need it results in a huge waste of resources due to the
to authenticate themselves before accessing the possession of redundant identity information in the
wireless networks. In addition to this, because of service world. As studies show, users who register
the size limitations, mobile devices are equipped with several service providers routinely forget
with smaller screens and limited data entry capa- their passwords for less frequently used accounts.
bilities using small keypads. For wireless services Thishasasignificantfinancialeffect.Onaverage,
to succeed, it is critical that the mobile users are $45 is spent on password reset each time a user
able to get convenient and immediate access to the forgets a password (Altmann & Sampath, 2006,
information and services they need without going p. 496). Walled Garden is a centralized identity
through long menus and having to enter various management approach where all service providers
usernames and passwords. can typically rely on one singe identity provider to
In the future, one of the key issues of identity manage the user’s identity. The user is benefited
management in the wireless domain will be who through managing only a single set of credentials.
the identity providers will be to the users and who Itsinherentweaknessis,oncethe - significantbar
will own/manage the subscriber identity module rier of protection is compromised, a malicious user
(SIM/USIM). It is because, currently, almost every enjoys unbridled access to all resources. Lastly, in
service provider is also an identity provider for identity federation management a group of service
users to access that specific service. SIM card
providers is a federation. Here, each service
forms
in fact a smart card with processing and informa- providerrecognizestheidentifiersofotherserv
tion storage capabilities. With the development of providers and thereby, consider a user who has
powerful, sophisticated as well as secure smart been authenticated by another service provider to
cards, it is now considered as the storage place be authenticated as well. However, the real dis-
for user’s identity information. In current cellular tinction between Walled Garden and Federation
models, the operator provides not only the wireless approach is that here service providers have their
access but also owns and manages SIM/USIM. In own unique identifiers and credentials. Though
this case, the user has little control over his/her this approach is widely accepted considering the
identity. A user is having a SIM/USIM as his/her heterogeneity of service providers, many possible
identity but is not allowed to modify or update it service interaction scenarios and the requirements
so that he/she cannot subscribe to new wireless of several levels of security make such a system
providers or to whatever service providers he/she far more complex.
likes. A collaborative operator model has been
thought where such identity module belongs to
the user (Kuroda, Yoshida, Ono, Kiyomoto, & IdEntIty MAnAgEMEnt for
Tanaka, 2004, pp. 165-166). A third party can wIrElEss sErvIcE AccEss
provide the infrastructure to manage such identity.
This approach leads towards user-centric identity Designing an identity management mechanism to
managementandprovidestheuserwith exibility
fl
access both remote and proximity services, without
in choosing wireless providers.
0
Identity Management
0
Identity Management
Apart from possessing numerous usernames/ identity management systems, is a debatable issue.
passwords/PIN codes for remote (Web) service Liberty Alliance (Miller et al., 2004) believes that
access, the user is also carrying many physical mobile operators are in a good position to become
identities for proximity service access. These in- the most favored identity providers, because they
clude credit card, bank card, home/officepossess access valuable static and dynamic user informa-
cards, and so forth. Many researchers working tion which can be transmitted to third parties in
in these areas are proposing the smart cards, like a controlled manner through open standard Web
SIM/USIM currently used in mobile phones, as the service interface. Mobile operators also have the
secure storage place for the user’s identity informa- ability to seamlessly authenticate users with the
tion because it can be revoked, users nowadays can phone number on behalf of the service provid-
rarely be found without a mobile phone and there ers (SP). Many contradict such roles of mobile
are possibilities of security enhancements. Custom operators. Instead a more trusted third party, like
made SIMs/USIMs having enough computational financialinstitutesandgovernmentsarealsow
power and storage space can be used to manage positioned to become preferred identity providers.
users’identificationinformationand Theymulti-
mightfactor
provide identity services for their
authentication mechanisms. Gemalto, a company specific market and services that need stronge
providing digital security, is involved in developing user identities. When a user wants to subscribe to
sophisticated smart cards (e.g., SIM/USIM) based a new wireless network, he/she asks the third party
online or off-line identity management with associ- identityprovidertoaddnewidentificationdata
ated software, middleware, and server-based solu- his/her phone. In such a situation, it is possible
tions. NXP, a semiconductor company (formerly a that a third party can even manage SIM/USIM,
divisionofPhilips),isalsoofferingidentification which is currently done by cellular operators. It is
products in areas like government, banking, ac- expected that the next-generation wireless network
cess control, and so forth using secure innovative willhavesuchexibility. fl
contactless smart cards and chips. Credit card
companies are running various trials for providing components of user Identities
user’s payment identity handling solutions using
mobile phones and NFC technology. Tap N Go is Identity management in wireless service access
the name of a contactless payment trial powered needs to address device-level security, network-lev-
by MasterCard PayPass (2007) in the U.S. started el security, and service-level security (Kuroda et al.,
in 2006. In the same year, Visa completed contact- 2004, p. 169). Therefore, the over-all user identity
less-based mobile pilots in Malaysia and the United comprises device, network, and service identities.
States, using NFC-enabled phones, complementing The user’s device is divided into two components,
existing programs in Japan and Korea. In February a personal smart card (e.g., SIM/USIM) and mobile
2007, Visa International and SK Telecom of South devices with wireless access capabilities. The smart
Korea announced the world’sfirstcontactless - cardpayincludesuseridentificationdatathatcon
ment application on a universal SIM card which is user’spublicorshared-secretkeys,certificatesf
personalized over-the-air based on Visa’s recently network operators, and service providers. The card
introduced mobile platform (“Visa’s mobile plat- and the device need to be mutually authenticated in
form initiative,” 2007). the initial setup phase because both devices have
Identity providers issue identities to each user. built no relationship of trust to exchange security
They have a very important central role in the information from the very beginning. Afterwards,
identity management business. The identity pro- the user identifies him/herself to the card, sinc
vider manages users’ identities and their access it stores sensitive personal information, which is
rights to various services securely. It provides the used for network- and service-level authentication.
authentication and authorization services to the The user can identify through PIN, password, or
users. Who can be the identity providers in future biometrics. After these authentication procedures,
0
Identity Management
109
Vulnerability Analysis
Vulnerability Analysis
aid of malware, adware, or spyware; recursive Craig, A. H. (2000). The latest in denial of service
DNS attacks or the use of DNS server for DoS attacks:Smurfingdescriptionandinformationto
attack; and attacks against OpenEdge WebSpeed minimize effects. Retrieved May 17, 2006, from
platforms, and so forth. http://www.pentics.net/denial-of-service/white-
papers/smurf.cgi
Davidowicz, D. (1999). Domain name system
conclusIon (DNS) security. Retrieved June 23, 2006, from
http://compsec101.antibozo.net/ papers/dnssec/
This chapter explores some of the security vulner-
dnssec.html
abilities associated with 802.11 wireless networks.
Here basic issues with WEP and better protocols Dierks, T., & Allen, C. (2006). The TLS protocol
like TKIP and CCMP were discussed with some (RFC 2246). Retrieved December 7, 2006, from
advice on security precautions. Later emphasis http://www.ietf.org/rfc/rfc2246.txt
was given on DoS and DDoS attacks to show
Dworkin, M. (2004). Recommendation for block
how complicated and varied they are in nature.
cipher modes of operation: The CCM mode of
DoS attacks are done quite effectively against
authenticationandconfidentiality. Retrieved No-
wired and wireless networks and it costs much in
vember 17, 2006, from http://csrc.nist.gov/publica-
terms of the damages done. Defense mechanisms
tions/nistpubs/800-38C/SP800-38C.pdf
against such attacks are still not perfect and the
chapter eventually reviews and explains some sets Earle, A. E. (2006). Wireless security handbook.
of defense mechanisms that could help against Auerbach Publications, Taylor & Francis Group.
such attacks.
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weak-
nesses in the key scheduling algorithm of RC4.
Retrieved July 25, 2005, from http://downloads.
rEfErEncEs
securityfocus.com/ library/rc4_ksaproc.pdf
Agarwal, S., Dawson, T., & Tryfonas, C. (2003). Fontana, J. (2007). Network World. Retrieved
DDoS mitigation via regional cleaning centers April 5, 2007, from http://www.networkworld.
(Tech. Rep. No. RR04-ATL-013177). Sprint ATL com/news/2007/011907-microsoft-secure-vpn-
Research Report. tunneling-protocol.html
Blunk, L., & Vollbrecht, J. (1998). PPP extensible Gast, M. (2002). 802.11 wireless networks—The
authentication protocol (EAP) (RFC 2284). Re- definitiveguide. CA: O’Reilly Media.
trieved December 25, 2006, from http://www.ietf.
org/rfc/rfc2284.txt Greenhalgh, A., Handley, M., & Huici, F. (2005).
Using routing and tunneling to combat DoS attacks.
Cable, G. (2004). Wi-Fi protected access data In ProceedingsoftheWorkshop 502 onStepsto
encryption and integrity. Retrieved December ReducingUnwantedTrafficontheInternet.
17, 2006, from http://www.microsoft.com/technet/
community/columns /cableguy/cg1104.mspx Held, G. (2003). Securing wireless LAN. Sussex,
England: John Wiley & Sons.
Cam-Winget, N., Housley, R., Wagner, D., &
Walker,Security
J..) 302 ( aws
fl indata
1 .2 0 8 link Hurton, M., & Mugge, C. (2003). Hack notes—Net-
protocols. Communications of the ACM, 35-39. work security portable reference. CA: McGraw-
Hill/Osborne.
Christos, D., & Aikaterini, K. (2003). DoS attacks
anddefensemechanism:Classifications In-Stat. (2006). In-stat market survey. Retrieved
andstate-
of-the-art. Computer Networks, 44, 643-666. May 11, 2007, from http://www.in-stat.com
Vulnerability Analysis
Vulnerability Analysis
Chapter XI
Key Distribution and
Management for
Mobile Applications
György Kálmán
University Graduate Center – UniK, Norway
Josef Noll
University Graduate Center – UniK, Norway
AbstrAct
This chapter deals with challenges raised by securing transport, service access, user privacy, and ac-
counting in wireless environments. Key generation, delivery, and revocation possibilities are discussed
andrecentsolutionsareshown.Specialfocusisonefficiencyandadaptationtothemobil
Device domains in personal area networks and home networks are introduced to provide personal digital
rights management (DRM) solutions. The value of smart cards and other security tokens are shown and
asecureandconvenienttransmissionmethodisrecommendedbasedonthemobilephone
communication technology.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Key Distribution and Management for Mobile Applications
Protecting user data is of key importance for is authenticated, the user has to trust the network
all communications, and especially for wireless unconditionally. In universal mobile telecommu-
communications, where eavesdropping, man-in- nications system (UMTS), strong encryption is
the-middle, and other attacks are much easier. applied on the radio part of the transmission and
With a simple wireless LAN (WLAN) card and provides adequate security for current demands,
corresponding software it is possible to catch, but does not secure the transmission over the
analyse, and potentially decrypt wireless backbone.traffic.
UTMS provides mutual authentication
The implementation of the first WLAN - encryp
through an advanced mechanism for authentication
tion standard wired equivalent privacy (WEP) and session key distribution, named authentication
had serious weaknesses. Encryption keys can be and key agreement (AKA).
obtained through a laptop in promiscuous mode
in less than a minute, and this can happen through
a hidden attacker somewhere in the surrounding. A long wAy to sEcurE
Data protection is even worse in places with public coMMunIcAtIon
access and on factory default WLAN access points
without activated encryption. Standard Internet Applying some kind of cryptography does not im-
protocols as simple mail transport protocol (SMTP) ply a secured access. Communicating parties must
messages are not encoded, thus all user data are negotiate the key used for encrypting the data. It
transmitted in plaintext. Thus, sending an e-mail should be obvious that the encryption key used for
over an open access point has the same effect as the communication session (session key) cannot be
broadcasting the content. With default firewall
sent over the air in plaintext (see Figure 1).
settingsanintruderhasaccesstolocal Inordersince
files, toenableencryptionevenforthefirst
the local subnet is usually placed inside the trusted message, several solutions exist. The simplest
zone. These examples emphasise that wireless links one, as used in cellular networks is a preshared
needsomekindoftrafficencryption. key supplied to the mobile terminal on forehand.
Whenthefirstwidespreaddigital - cellular
This key cannet be used later for initialising of the
work was developed around 1985, standardisation security infrastructure and can act as a master key
of the global system for mobile communication in future authentications.
(GSM) introduced the A5 cryptographic algo- In more dynamic systems the use of preshared
rithms, which can nowadays be cracked in real-time keys can be cumbersome. Most of WLAN encryp-
(A5/2) or near real-time (A5/1). A further security tion methods support this kind of key distribution.
threat is the lack of mutual authentication between The key is taken to the new unit with some kind of
the terminal and the network. Only the terminal out of band method, for example with an external
unit, as indicated in Figure 2. Practically all pri-
vate and many corporate WLANs use static keys,
allowing an eavesdropper to catch huge amounts
Figure 1. A basic problem of broadcast environ- of traffic and thus enable easy decryption of the
ment content. This implies that a system with just a se-
cured access medium can be easily compromised.
Non-aging keys can compromise even the strongest
encryption, thus it is recommended to renew the
keys from time to time.
Outside the telecom world it is harder to distrib-
ute keys on forehand, so key exchange protocols
emerged, which offer protection from the first
message and do not need any preshared secret.
The most widespread protocol is the Diffie-Hell -
Key Distribution and Management for Mobile Applications
Figure2.(a)Diffie-Hellmannkeyexchangeand(b)out-of-bandkeydelivery
(a) (b)
man (DH) key exchange of Figure 2, which allows Two keys, a public and a private are generated.
two parties that have no prior knowledge of each The public key can be sent in plaintext, because
other to jointly establish a shared secret key over messages encrypted with the public key can only
an insecure communications channel. be decoded by the private key and vice versa. The
This protocol does not authenticate the nodes to two way nature of public keys makes it possible to
each other, but enables the exchange data, which authenticate users to each other, since signatures
can be decoded only by the two parties. Malicious generated with the public key can be checked with
attackers may start a man-in-the-middle attack the public key. Message authenticity can be guar-
(see Figure 4). Since this problem is well-known, anteed. Still, the identity of the node is not proven.
severalmodificationsenableidentity based
The DH,for
signature proves only that the message was
example Boneh, Goh, and Boyen (2005) showed encoded by the node, which has a public key of the
a hierarchical identity based encryption method, entity we may want to communicate with.
which is operating in fact as a public key system, Identity can be ensured by using certificates.
where the public key is a used chosen string. CertificateauthoritiesCA) ( storepublickeysan
Public key infrastructure (PKI) can help de- after checking the owner’s identity out of band,
fending corresponding parties against man-in-the- prove their identity by signing the public key
middle attacks. Public key cryptography is based and user information with their own keys. This
on the non polynomial (NP) time problems, for methodisrequiredforfinancialtransactionsa
example of factorisation or elliptic curves. business and government operations. Without a
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
Figure 4. TLS key negotiation data transferred over the radio interface beside the
high computing power needs.
In environments with limited resources, au-
thentication and identity management based on
preshared keys is still the most effective solution.
Badra and Hajjeh (2006) propose an extension to
TLS, which enables the use of preshared secrets
instead the use of asymmetric encryption. This is
in line with the efforts to keep resource needs at
the required minimum level in mobile devices. A
preshared key solution was also proposed by the
3rd Generation Partnership Projects (3GPP, 2004)
and (3GPP2, 2007) as an authentication method
for wireless LAN interworking. The problem with
the proposed solution is preshared keys does not
provide adequate secrecy nor identity protection in
Internet connections. To deal with this problem, the
Figure5.TLS-KEMkeynegotiation TLS-key exchange method (TLS-KEM) provides
identity protection, minimal resource need, and
full compatibility with the original protocol suite
as seen in Figure 6.
In direct comparison, the public key based
TLSneedsalotmorecomputing,datatraffic,and
deployment effort.
In UMTS networks, an array of authentication
keys is sent to the mobile in authentication vec-
tors. In the computer world a good solution would
be using hash functions to calculate new session
keys, as these consume low power and require
little computing.
A moving terminal can experience a commu-
nication problem, as the overhead caused by key
negotiation might extend the connection time to a
network node. A preserved session key for use in
the new network is a potential solution in a mobile
leastfixedenvironment,computational costofkey
environment, as it speeds up the node’s authentica-
negotiations is usually neglected. For example TLS tion. Lee and Chung (2006) recommend a scheme,
is using several public key operations to negotiate which enables to reuse of session keys. Based on
a session key. This can be a problem for mobile the AAA infrastructure, it is possible to forward
devices, since computational cost is much higher the key to the new corresponding AAA server on
in asymmetric encryption. The standard TLS suite a protected network and use it for authentication
uses lots of cryptographic operations and gener- without compromising system security. This can
ates a too large message load on wireless links reduce the delay for connecting, and also reduces
(see Figure 5). the possibility of authentication failure. Since the
If a mobile device wants to execute mutual old session key can be used for authenticating the
authentication with a service provider, with cer- node towards the new AAA server, connection
tificate exchanges, it can lead to big amounts to the homeofAAA is not needed any more. The
Key Distribution and Management for Mobile Applications
messages are exchanged as follows (Lee & Chung, mances for public key based mechanisms (Lim,
2006): when sending the authorisation request to Lim, & Chung, 2006). Mobile IPv4 uses symmet-
the new network, the node also includes the old ric keys and hashes by default. Since symmetric
network address it had. The foreign agent connects keys are hard to manage, a certificate-based key
to the new local AAA server and sends an authen- exchange was recommended, but this demands
tication request. The new AAA server connects more resources. To lower the resource demand, a
to the old one sending a message to identify the composite architecture was recommended (Sufa-
user. The old AAA authenticates the message by trio,.) 9The
1 procedure uses certificates only
checking the hash value included, and generates a in places where the terminal does not require
nonce for the terminal and the foreign agent. The processing of the public key algorithm and does
server composes an AAA-terminal answer, which notrequirestorageofthecertificate.
is composed from a plain nonce, an encrypted nonce The result of the comparison shows that hash
using the key shared between the old foreign agent isbyfarthemostefficientmethodintermsofkey
and the terminal. Then the whole message is signed generation,butsuffersfrommanagement - difficul
and encrypted with the key used between the two ties. Lim et al. (2006) also demonstrates that a pure
AAA servers. When the new AAA receives it, certificate-based authentication is unsuitab
decrypts and sends the message to the new foreign mobileenvironments.Partialuseofcertificatesa
agent. Based on the plain nonce, the agent generates identity-based authentication with extensive use of
the key and sends down the reply, which includes hash functions can be a potential way ahead.
also the nonce encrypted by the old AAA. After
the authentication of the user towards the network,
the user can start using services. AutHEntIcAtIon of dEvIcE
Key distribution and efficiency- in grouPs e- com
merce applications is another important aspect.
The network’s AAA usually does not exchange In a ubiquitous environment, moving networks
information with third parties or can not use the appear. PANs and ad hoc connections based on
authentication data of the network access because various preferences emerge and fall apart. These
of privacy issues. Current security demands require devices communicate with each other and have
mutualidentificationofcommunicating parties
usually in
very limited capabilities in terms of
an e-commerce application. This can easily lead computing power and energy reserves. In order
to compromising the customer to companies (for to provide secure communication between any
example in a GSM network, the user has to trust part of the network, hierarchical key management
the network unconditionally). If the user can also methods emerged (Kim, Ahn, & Oh, 2006). Here
check the identity of the service provider, at least a single trusted server is used to manage the group
man-in-the-middle attacks are locked out. key. These entities are usually storing the keys in
When a user starts a new session with a service a binary tree, where nodes are the leaves.
provider, this session should be based on a new Public key operations are usually required
key set. The session key has to be independent when a terminal wants to connect to a group for
from the previous one in means of traceability thefirsttime.Agroupmanagementsystemneeds
and user identity should not be deductible from frequent key generation rounds, because it has to
the session key, thus ensuring user privacy. For ensure forward and backward secrecy. Strict key
mutual identification, a key exchange method management ispolicies ensure that no new node is
proposed by Kwak, Oh, and Won (2006), which capableofdecodingformertrafficandnoneofthe
uses hash values to reduce resource need. The key old nodes have the possibility to decrypt current
calculation is based on random values generated traffic.Toadjustresourceusageto-mobileenviron
by the parties, which ensures key freshness. ment, a management scheme which uses mainly
The use of hash functions is recommended in simple operations like XOR and hash is advisable
mobile environments, providing better perfor- (Kim et al., 2006). As the key in the root of the
0
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
Privacy-Enhancing Technique
lature and self-regulatory programs in helping to (4) rule holder. For appropriate interaction between
enforce Web site policies. thosethreeinterfacesaredefined, - includingapub
APPEL (World Wide Web Consortium [W3C], licationinterfaceandanotificationinterface
2002) can be used to express what a user expects GEOPRIVspecifiesthata“usingprotocol”is
tofindinaprivacypolicy.P3PandAPPELmerelyemployed to transport location objects from one
provide a mechanism to describe the intentions of place to another. Location recipients may request
both sides than means to protect user data after a location server to retrieve GEOPRIV location
agreeing to use the service. information concerning a particular target. The
There are several privacy-related tools that are location generator publishes location information
basedonP3PandAPPELspecifications.AT&T’s to a location server. Such information can then be
(n.d.) Privacy Bird is a free plug-in for Microsoft® distributed to location recipients in coordination
Internet Explorer. It allows users to specify privacy with policies set by the rule maker, for example,
preferences regarding how a Web site stores and the user whose position is stored.
collects data about them. If the user visits a Web A using protocol must provide some mecha-
site, the Privacy Bird analyzes the policy provided nism allowing location recipients to subscribe
and indicates whether or not the policy fits to inordertoreceiveregularnotific
persistently
the users preferences. The Microsoft® Internet of the geographical location of the target as its
Explorer 6 (Microsoft, n.d.) and Netscape® 7 location changes over time. Location generators
(Netscape, n.d.) embed a similar behaviour. They must be enabled to publish location information
allow the user to set some options regarding cookies to a location server that applies further policies
and are capable of displaying the privacy policy for distribution.
in human readable format. All these tools are a Oneofthebenefitsofthisarchitectureistha
valuable step into the right direction, but they the privacy rules are stored as part of the location
still lack means to personalize privacy policies. object (Cuellar et al., 2004). Thus, nobody can
Steps towards personalized privacy policies are claim that he/she did not know that access to the
discussed by Maaser and Langendoerfer (2005) location information was restricted. But misuse is
andPreibuschIn .)052 ( Preibuschafine-grained still possible and it is still not hindered by techni-
choice from a set of offered policies is proposed cal means.
whereas a form of a bargaining in which neither
party fully publishes all its options is proposed in Server Side Means
Maaser and Langendoefer.
Privacy policies allow for “opting-out” of or In order to ensure privacy after agreeing to a
“opting-in” to certain data or data uses. But they certain privacy policy or privacy contract suitable
do not provide a technical protection means. The means on the data gathering side are needed. Such
user has no control on the actual abidance of the could be hippocratic databases (Agrawal, Kiernan,
policy but still has to trust that his/her personal Srikant, & Xu, 2002), HP Select Access (Casassa,
data is processed in accordance to the stated P3P Thyne, Chan, & Bramhall, 2005), Carnival (Arne-
policy only. Enforcement of the policy abidance sen, Danielsson, & Nordlund, 2004), PrivGuard
could be done by hippocratic databases or other (Lategan & Olivier, 2002). All these systems check
means. whether an agreed individual privacy policy allows
access to certain data for the stated purpose and
2. IETFs GeoPriv by the requiring entity.
There are several approaches that try to protect
GEOPRIV is a framework (Cuellar, Morris, Mul- privacy in location-aware middleware platforms
ligan, Peterson, & Polk, )024 that defines four (Bennicke & Langendörfer, 2003; Gruteser &
primary network entities: (1) a location generator, Grunwald, 2003; Langendörfer & Kraemer, 2002;
(2) a location server, (3) a location recipient, and a Synnes, Nord, & Parnes, 2003; Wagealla, Terzis,
Privacy-Enhancing Technique
& English, 2003). In Langendörfer and Kraemer; linking individual transactions by using un-altered
Bennicke and Langendörfer; and Wagealla et al. pseudonyms. Along these lines, the use of identity
means are discussed that enable the user to declare management systems becomes essential in order
how much information he/she is willing to reveal. to ensure that all pseudonyms are used correctly,
In Synnes et al. the authors discuss a middleware when interacting with service providers. In addi-
thatusesuser-definedrules,whichdescribe tion, support who
for the generation of pseudonyms can
may access the user’s position information and be of help in order to guarantee a minimal level of
under which circumstances. The approach inves- pseudonym quality.
tigated in Gruteser and Grunwald intentionally In Table 2 we have not included descriptive
reduces the accuracy of the position information in and server-side approaches. With the former data
order to protect privacy. All these approaches lack gathered depends on user preferences and the latter
means to enforce access to user data according to provides protection against misuse only after the
theaccesspolicydefinedbyusers.Acombination fact,thatis,ithasnoinfluenceonthe - dataaccu
of the location-aware middleware platforms with mulated in a certain service provider’s database.
protection means sketched previously would clearly
improveuserprivacy.Afirststepinthis direction
Protection level
was reported in Langendörfer, Piotrowski, and
Maaser (2006) where users are enabled to generate In order to asses the protection a certain PET can
Kerberos tokens on their own device and where provide we use a classification with - four protec
the platform checks these tokens before granting tion levels:
access to user data.
• High: Technical means are given to ensure
that the amount of data that can be gathered
AssEssMEnt of PrIvAcy- by a service provider is restricted to a mini-
EnHAncIng tEcHnIquEs mum or matches the user’s requirements. So,
no detailed information can be deduced from
In this section we discuss the protection level that gathered data. The downside is that no value-
can be achieved by applying privacy-enhancing added services can be provided or a service
techniques. In order to clarify how different classes may not be provided at all.
of approaches effect user privacy we resume our • Medium: The data that are gathered can not
example from the Privacy Protection Goals sec- only be determined by the user, but he/she
tion and show which data is protected by which keeps somewhat control over them. This
means. Thereafter we identify the protection level control might be either an active data con-
achieved by each class of protection means. trol, that is, an obeyed request for deletion,
orpassivecontrolthatspecifiescertainru
Evaluation of Presented techniques on how these data shall be dealt with in the
future or for certain purposes.
For the evaluation of the privacy-enhancing tech- • Low: The user can determine which of
niques we resume our example. Table 2 shows that his/her data is gathered. Especially if there
each class of privacy-enhancing techniques has its is no proven technical means to protect the
ownmeritandisapplicableforaspecifictype data,ofit is the task of the service provider
information. The fact that all techniques have been to ensure the security of the gathered data.
designed to protect specific information Theallows
drawbacks for service providers could
easy combination of several approaches to improve be that users are hesitant to use their service
user privacy. In the case of e-cash with revocable if they cannot prove the security/privacy of
anonymity the use of different pseudonyms is es- the data.
sential in order to prevent service providers from
Privacy-Enhancing Technique
Table 2. The sets of user data each party can link per transaction. The positing system can get informa-
tion only if the user role is passive, that is, the system tracks the user.
• None: The user, respectively, the owner of the ample, anonymous e-cash schemes provide a high
data,hasnoinfluenceonthekindofdata that
level of protection since they prevent the user’s
is gathered, which information gets inferred bank from learning about the users online purchase
or derived. In addition, the service provider habits as well as the service provider from reveal-
or data collector respectively applies no ap- ing the users identity. But if the anonymous e-cash
propriate means to protect the information scheme is used by a single customer of the bank
or privacy. In this case we cannot speak of only, the protection provided by the anonymous
privacy at all. Such an environment enables e-cash scheme collapses to the protection against
service providers or others to gather as much the service provider, since the bank can easily link
and almost any data they want. Besides the the e-coins to the user’s identity.
drawback for service users having no privacy Table 3 shows the protection level of all pre-
at all is it most likely diminishes the trust of sented classes of privacy-enhancing techniques
the users or potential customers respectively such as mix networks and so forth. Here we did
into such services. not consider individual differences in a class since
weighting individual the drawbacks of similar ap-
In the classification of the PET according proachestodepends much on personal preferences
protection levels we are focussing on the strength and technical differences are already discussed in
of the classes of mechanism and neglect the side the Discussion of Privacy-Enhancing Techniques
effects. We are aware of the fact that real system section.
properties such as the number of participants have
significantimpactontheprotection - level.Forex
Privacy-Enhancing Technique
Table 3. Protection level of the individual privacy-enhancing techniques at network and application
level
Descriptive
Anonymous DA + server side Location
Mix networks Pseudonyms approaches
e-cash technologies protection
(DA)
Application low -
none medium High low medium
level medium
Network level high none None none none none
Privacy-Enhancing Technique
searchcommunityinrecentyears.Afirst attempt
Brands, S. (1993). Untraceable off-line cash in wal-
is made by the SWAMI project (http://swami.jrc. lets with observers. In ProceedingsofCrypto’93
es), which focused on AMI projects, legal aspects, (LNCS 773, pp. 302-318). Springer-Verlag.
scenarios, and available PET.
Casassa Mont, M., Thyne, R., Chan, K., & Bram-
The workshop series “Privacy Enhancing
hall, P. (2005). Extending HP identity manage-
Technologies” published in Springer’s LNCS series
ment solutions to enforce privacy policies and ob-
(2482, 2760, 3856, 3424, 4258) provides a great
ligations for regulatory compliance by enterprises.
variety of publications dealing with technological,
HPL-.0 1 50-2 Retrieved January 1, 2007, from
social, and legal aspects of privacy.
http://www.hpl.hp.com/techreports/2005/HPL-
2005-110.html
rEfErEncEs Chaum, D. (1981). Untraceable electronic mail,
return addresses, and digital pseudonyms.
Agrawal, R., Kiernan, J., Srikant, R., & Xu, Y. Communications of the ACM, 24(2).
(2002, August 20-23). Hippocratic databases. In
Chaum,Security
D..)589 1 ( withoutidentification:
Proceedings of the 28th International Conference
Transaction systems to make big brother
onVeryLargeDataBases. Hong Kong, China.
obsolete. Communications of the ACM, 28(10),
Anton, A. I., He, Q., & Baumer, D. L. .)024( 1030-1044.
Inside JetBlue’s privacy policy violations. IEEE
Cranor, L. F. (2000). Beyond concern: Under-
Security & Privacy.
standing net users’ attitudes about online
Arnesen, R. R., Danielsson, J., & Nordlund, B. privacy. In I. Vogelsang & B. M. Compaine (Eds.),
(2004, November 4-5). Carnival: An application The Internet upheaval: Raising questions, seeking
framework for enforcement of privacy policies. answers in communications policy (pp. 47-70).
Paper presented at the 9th Nordic Workshop on Cambridge, MA: The MIT Press.
Secure IT-systems. Helsinki, Finland.
Cranor, L., Langheinrich, M., Marchiori, M., Pres-
AT&T Corporation. (n.d.). AT&T privacy bird. ler-Marshall, M., & Reagle, J. (2002, April 16).
Retrieved January 1, 2007, from http://privacy- The platform for privacy preferences 1.0 (P3P1.0)
bird.com Specification. Retrieved January 1, 2007, from
http://www.w3.org/TR/P3P/
Barbaro, M., & Zeller, Jr., T., (2006, August 9). A
face is exposed for AOL searcher no. 4417749. New Cuellar, J., Morris, J., Mulligan, D., Peterson, J.,
York Times. Retrieved from http://www.nytimes. & Polk, J. (2004). GEOPRIVrequirements
com/technology/
/ 9 0 8 / 62 aol.
90 html?ex=14 7 6 1 (RFC 3693). Retrieved from http://www.rfc-ar-
08&4en=f4
5 fbc4
80 1 84 e&
1 309 ei=570 0 chive.org/getrfc.php?rfc=3 3 96
Bennicke, M., & Langendörfer, P. (2003). Towards Federal Trade Commission (FTC). (1999). The
automatic negotiation of privacy contracts for FTC’sfirstfiveyears:Protectingconsumersonline.
Internet services. In Proceeding of the 11th IEEE Retrieved from http://www.ftc.org
Conference on Networks (ICON 2003). IEEE
Gruteser, M., & Grunwald, D. (2003, May 5-8).
Society Press.
Anonymous usage of location-based services
Berthold, O., & Köhntopp, M. (2000, July 25-26). through spatial and temporal cloaking. Paper
Identity management based on P3P. In Proceedings presented at the ACM/USENIX International
of the Workshop on Design Issues in Anonymity Conference on Mobile Systems, Applications, and
and Unobservability. Berkeley, CA. Services (MobiSys). San Francisco, CA.
Privacy-Enhancing Technique
Jendricke, U., & Gerd tom Markotten, D. (2000). Peterson, J. (2005). A presence architecture for
Usability meets security—The identity-manager the distribution of GEOPRIV location objects
as your personal security assistant for the Internet. (RFC 4079). Retrieved from http://www.ietf.
In Proceedings of the Computer Security Applica- org/rfc/rfc4079.txt
tions,ACSAC’0
02 , 6th
1 ,0 AnnualConference,
Preibusch, S. (2005, July 19-22). Implementing
New Orleans, LA (pp. 344-353).
privacy negotiation techniques in e-commerce. In
Jia, G., Brebner, G., & D’Uriage, M. (2004). Privacy Proceedings of the 7th IEEE International Confer-
protection system and method. U.S. Patent: enceonECommerceTechnology,IEEECEC,502
US 2004/0181683 A1. Technische Universität München, Germany.
Koch, M., & Wörndl, W. (2001). Community sup- Project: AN.ON—Anonymity.Online. (n.d.).
port and identity management. In Proceedings Protection of privacy on the Internet. Retrieved
of the European Conference on Computer Sup- January 1, 2007, from http://anon.inf.tu-dresden.
ported Cooperative Work (ECSCW 2001), Bonn, de/index_en.html
Germany.
Rao, J. R., & Rohatgi, P. (2000). Can pseudonymity
Langendörfer, P., & Kraemer, R. (2002). Towards really guarantee privacy? In of the
Proceedings
userdefinedprivacyinlocation-awareNinth platforms.
USENIX Security Symposium.
In Proceeding of the 3rd international Conference
Reed, M., Syverson, P., & Goldschlag, D. (1998).
on Internet computing. CSREA Press.
Anonymous connections and onion routing. IEEE
Langendörfer, P., Piotrowski, K., & Maaser, M. Journal on Selected Areas in Communications,
(2006). A distributed privacy enforcement archi- 6 1 (4).
tecture based on Kerberos. WSEAS Transactions
Reiter, M., & Rubin, A. (1998). Crowds: Anonym-
onCommunications, 5
(2), 231-238.
ity for Web transactions. ACM Transactions on
Lategan, F. A., & Olivier, M. S. (2002). PrivGuard: Information and System Security, 1(1), 66-92.
A model to protect private information based on
Sampigethaya, K., & Poovendran, R. (2006). A
its usage. South African Computer Journal, ,92
survey on mix networks and their secure applica-
58-68.
tions. ProceedingsoftheIEEE,(12). 49
Maaser, M., & Langendoerfer, P. (2005, July 26-28).
Synnes, K., Nord, J., & Parnes, P. (2003, January).
Automated negotiation of privacy contracts. Paper
Location privacy in the Alipes platform. In Pro-
presented at the Computer Software and Applica-
ceedings of the Hawaii International Conference
tions Conference, Edinburgh, Great Britain.
on System Sciences(HICSS-, )63 Big Island, HI.
Microsoft. (n.d.). Microsoft announces privacy
Tor: Overview. (n.d.). Retrieved January 1, 2007,
enhancements for Windows, Internet Explorer.
from http://tor.eff.org/overview.html
Retrieved January 1, 2007, from http://www.micro-
soft.com/presspass/press/2000/Jun00/P3Ppr.asp Treu,G.Kü& , pper,A.Efficient
. )05 2 ( proximity
detection for location based services. In Proceed-
Netscape. (n.d.). Netscape 7.0—7.2 release notes.
ings of the 2nd Workshop on Positioning, Naviga-
Retrieved January 1, 2007, from http://wp.netscape.
tionandCommunication502 (WPNC0, ) 5 Han-
com/eng/mozilla/ns7/relnotes/7.html#psm
nover, Germany: SHAKER-Publishing.
Novak, J., Raghavan, P., & Tomkins, A. (2004).
Wagealla, W., Terzis, S., & English, C. (2003).
AntiAliasing on the Web. In Proceedings of the
Trust-based model for privacy control in context-
13th international conference on World Wide Web,
aware systems. In Proceedings of the 2nd Workshop
New York.
on Security in Ubiquitous Computing, Ubicomp.
Privacy-Enhancing Technique
kEy tErMs
Chapter X
Vulnerability Analysis and
Defenses in Wireless Networks
Lawan A. Mohammed
King Fahd University of Petroleum and Minerals, Saudi Arabia
Biju Issac
Swinburne University of Technology – Sarawak Campus, Malaysia
AbstrAct
This chapter shows that the security challenges posed by the 802.11 wireless networks are manifold
and it is therefore important to explore the various vulnerabilities that are present with such networks.
Along with other security vulnerabilities, defense against denial of service attacks is a critical compo-
nent of any security system. Unlike wired networks where denial of service attacks has been extensively
studied, there is a lack of research for preventing such attacks in wireless networks. In addition to
various vulnerabilities, some factors leading to different types of denial of service (DoS) attacks and
some defense mechanisms are discussed in this chapter. This can help to better understand the wireless
network vulnerabilities and subsequently more techniques and procedures to combat these attacks may
be developed by researchers.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Vulnerability Analysis
typical wireless networks are defenseless against points (APs) come from the manufacturers in open
individualswhocanfindunsecurednetworks. The
access mode with all security features turned off
wireless server dutifully grants the unauthorized by default. Therefore, insecure wireless devices
computer or mobile device an IP address, and the such as APs and user stations, can seriously com-
attacker is able to launch a variety of attacks such promise wireless networks, making them popular
asbreakingintospecificservers,eavesdropping on
targets for hackers.
network packets, unleashing a worm, and denial Securing wireless networks requires at least
of service (DoS) or distributed denial of service threeactionstobetaken:first,authenticatingu
(DDoS) attacks, and so forth. In this chapter, we to ensure only legitimate users have access to the
discuss some security threats along with DoS at- network; second, protecting the transmitted data by
tacks in a typical wireless networks and survey means of encryption; and third, preventing unau-
some counter measures. thorized connections by eliminating unauthorized
transmitter or receiver. This emphasizes the need
for a security framework with strong encryption
ovErvIEw of sEcurIty and mutual authentication as explained later.
cHAllEngEs In wIrElEss
nEtworks Specific Challenges and Key Issues
Security has traditionally consisted of ensuring The security challenges in wireless networks can
confidentiality of data, the completebe integrity
roughly dividedofinto two main categories, based
the data, and the availability of the data when ever on their scope and impact. The first-category in
needed—where service is not denied. Generally volves attacks targeting the entire network and its
speaking, both wired and wireless network environ- infrastructure. This may include the following:
ments are complicated. Security solutions are most
effectivewhentheycanbecustomizedto • aspecific
Channel jamming: This involves jamming
installation. Unfortunately, a high percentage of the wireless channel in the physical layer thus
individuals involved in building and maintain- denying network access to legitimate users.
ing inter-networks and infrastructures for these Typical example is the DoS attack.
environments have little knowledge of security • Unauthorized access: This involves gaining
protocols. As a result, many of today’s systems free access to the network and also using
are vulnerable. Recent reports indicated that the theAPtobypassthefirewallandaccessthe
wireless networks are becoming more popular. As internal network. Once an attacker has ac-
these networks deployments increase, so does the cess to the network, he/she can then launch
challenge to provide these networks with security. additional attacks or just enjoy free network
Wireless networks face more security challenges use. Although free network usage may not
than their wired counterparts. This is partly due be a significant threat to many networks,
to the nature of the wireless medium as transmit- however network access is a key step in
ted signals can travel through the walls, ceilings, address resolution protocol (ARP)-based
and windows of buildings up to thousands of feet man-in-the-middle (MITM) attacks.
outside of the building walls. Moreover, since the • Traffic analysis: This attack enables gaining
wireless medium is airwaves, it is a shared medium information about data transmission and net-
that allows any one within certain distance or work activity by monitoring and intercepting
proximity to intrude into the network and sniff the patterns of wireless communication. This
traffic.Further,therisksofusingasharedmedium involves analyzing the overhead wireless
is increasing with the advent of available hacking traffictoobtainusefulinformation.Thereare
tools that can be found freely from hacker’s Web three forms of information that an attacker can
sites. Additionally, some default wireless access obtain. First, he/she can identify that there is
0
Vulnerability Analysis
Vulnerability Analysis
War driving Web site http://www.worldwideward- Temporary Key Integrity Protocol (TKIP)
rive.org has done the data collection during four
rounds of war driving world wide from 2002 to Wi-Fi protected access (WPA) was designed to
02.4 Their first worldwide war driving started replace WEP with the combination of the TKIP,
onAugustand 13 finishedonSeptember02., 7 which provides data confidentiality - through en
During this time, 9,374 APs were located and in cryption, and a new cryptographic message integ-
only 30.13% had WEP encryption enabled. The rity code called MIC or Michael, which provides
second drive lasted from October 26 to November data integrity. TKIP comprises the same encryp-
2, 2002 when they tracked 24,958 APs, with only tionengineandRC4algorithmdefinedforWEP.
27.2% having WEP enabled. During the third drive However, unlike WEP the TKIP uses a 128 bits key
which happened from June 28 to July 5, 2003, for encryption and 64 bits key for authentication.
88,122 APs were located with only 32.26% WEP This solves the problem of a shorter WEP key.
enabled. The fourth drive started in June 2004 for TKIP also added a per-packet key mixing func-
some months, located 228,537 APs and the total tion to de-correlate the public initialization vectors
number of wireless networks running WEP was (IVs) from weak keys. Furthermore, TKIP also
found to be 38.3%. provides a rekeying mechanism to provide fresh
encryption and integrity keys by giving each user
security Enhancements a unique shared key per session and by using IV as
a counter. It discards any IV value received out of
Inthecontextoftheaforementioneddeficiencies, sequence. If the IV space is exhausted, a new key
an IEEE 802.11i or IEEE 802.11 Task Groupi (TGi) is negotiated. This makes TKIP protected networks
developed a new set of WLAN security protocols more resistant to cryptanalytic attacks involving
to form the future IEEE 802.11i standard. The key reuse. TKIP provides better security than the
new security standard, 802.11i, which was con- WEP by adding four new algorithms:
firmedandratifiedinJuneeliminates 02 ,4 allthe
weaknesses of WEP. It is divided into three main • It provides a nonlinear hash function (Mi-
categories (Strand, 2004) and these enhancements chael) that produces a 64 bit output. Unlike
are described as follows: CRC used in WEP, Michael is keyed. Only
those who know the secret key can compute
1. Temporary key integrity protocol (TKIP): a valid hash.
This is essentially a short term solution that • It provides a new IV sequencing discipline
fixesallWEPweaknesses.Itwouldbe - com to remove replay attacks from the attacker’s
patible with old 802.11 devices and it provides arsenal.
integrityandconfidentiality. • It also has a per-packet key mixing function to
2. Counter mode with cipher block chain- de-correlate the public IVs from weak keys.
ing-message authentication code protocol • Finally, it provides a rekeying mechanism, to
(CCMP): This is a new protocol designed provide fresh encryption and integrity keys,
with planning, based on RFC 2610 which undoing the threat of attacks stemming from
uses Advanced Encryption Standard (AES) key reuse.
as cryptographic algorithm. Since this is more
CPU intensive than RC4 (used in WEP and Table 1 shows how WPA uses TKIP and Michael
TKIP), new and improved 802.11 hardware to address the cryptographic weaknesses of WEP
may be required. It provides integrity and (Cable, 2004).
confidentiality.
3. Extensible authentication protocol (EAP): Counter CBC-MAC Mode
EAP is a general protocol for point-to-point
(PPP) authentication that supports multiple Counter with cipher block chaining-message
authentication mechanisms. authentication code or simply (CCM) is a mode
Vulnerability Analysis
Vulnerability Analysis
Table 2. WEP, TKIP, and CCMP comparison (Cam-Winget, Housley, Wagner, & Walker, 2003)
WEP TKIP CCMP
Vulnerability Analysis
Association Request
Association Response
EAP Start
EAP Request / ID
Vulnerability Analysis
Message 1 : [Anonce]
Create PTK from
ANonce and SNonce
Message 2 : [snonce, MIc]
Create PTK from
ANonce and SNonce
and supply GTK
second, third and fourth messages have a message done. For decryption process, the encrypted text is
integrity code (MIC). The MIC is generated by XOR-ed with the key to get the plaintext. Firstly, the
hashingaspecifiedportionofthemessage andplaintext
known then attack is done when the attacker
encrypting that hash with the PTK. This four-way knows two things: cleartext and the encrypted
handshake occurs whenever someone connects to text of a message communication. Having both
a WLAN using WPA. It also occurs thereafter, the encrypted and unencrypted form of the same
whenever the AP decides to refresh the transient information allows one to perform this attack and
keys (Phifer, 2007). to retrieve the encryption key. The attacker needs
to XOR cleartext and encrypted text to get the
Attack on Michael MIC key. Secondly, to carryout the double encryption
attack, a frame must be captured and the attacker
Michael MIC was introduced to prevent attacks must change the frame header destination MAC
through message modification. It usesaddress a featureto that of the attacker’s wireless client.
known as TKIP countermeasure procedure, which After this subtle change, the attacker must wait
works by disabling the AP if it receives two MIC for the IV to reset to one minus the original IV
failures within one second. After exactly one min- of
( themodifiedframe),sothathe/shecanreplay
ute, the AP comes back to life and would need all the captured frame into the air. When the AP sees
its past and current users to re-key to gain access the frame with the expected IV, it will encrypt the
to the network. An attacker could send corrupt frame, actually being fooled into decrypting the
packets to the AP which can pass the frame CRC frame instead of encrypting it. After doing the un-
check, but would trigger the TKIP countermeasure knowing decryption process, the AP will forward
eventually shutting down the AP, especially after the cleartext frame across the air to the forged
repeatedcorrupttraffic. MAC address specified by the attacker. Thirdly,
to achieve the message modification attack, the
Encryption Attacks on Known Plaintext, attacker must capture an encrypted packet that is
Double Encryption, and Message going to another subnet, modify a single bit, and
attempttoresendit.Themodificationwilloffsett
Modification
IC and the packet will be rejected. After trying a
numberoftimes,thebitsthatareflippedwillmake
For WEP encryption process, an XOR operation
the IC correct again, although the packet would
of message (or plaintext) with encryption key is
be malformed. The attacker can do this numerous
Vulnerability Analysis
times without any logging or alerts from the AP. 6. Positioning and shielding of the antenna can
Once the packet passes the AP’s IC check, it will help to direct the radio waves to a limited
reach the route. The router will observe that the space.
packet is malformed and would send a response 7. Enabling of accounting and logging can help
that contains the cleartext and associated encrypted to locate and trace back some mischief that
text packet to the initial sender. This will give could be going on in the network. Preven-
the attacker the ingredients to perform cleartext tive measures can then be taken after the
cryptanalysis. A solution is to encrypt the 802.11 preliminary analysis of the log file. Allow
frames within a layer 3 (network layer) wrapper, regularanalysisoflogfilescapturedtotrace
so that any tampering cannot go undetected. any illegal access or network activity.
8. Using intrusion detection software to moni-
general wlAn security Measures tor the network activity in real time and to
inform alerts.
General security measures to minimize some of 9. Using honey pots or fake APs in the regular
thementionaws fl arelistedasfollows(Held,; 302 network to confuse the intruder so that he/she
Hurton & Mugge, 2003; Issac. Jacob, & Moham- gets hooked to that fake AP without achieving
med, 2005): anything.
10. Turn off the network during extended periods
. 1 Encryptthenetworktraffic.WPAwithTKIP/ of non-use or inactivity.
AES options can be enabled. Upgrade the . 1 Usefilesharingwithcaution.Iftheuserdoes
firmware on AP to preventtheuseofweak not need to share directories and files over
IV WEP keys. thenetwork,filesharingshouldbedisabled
2. Ensuring mutual authentication through IEEE on his/her computers.
802.1x protocol. Client and AP should both 12. Do not auto-connect to open Wi-Fi (wireless
authenticate to each other. Implementing fidelity)networks.
IEEE 802.1x port-based authentication with 13. Connect using a VPN as it allows connecting
RADIUS server (with PEAP/MS-CHAPv2) securely. VPNs encrypt connections at the
would be a good choice. sending and receiving ends through secure
3. Make the wireless network invisible by dis- tunnels.
ablingidentifierbroadcasting.Turningfirewalls . 4 1 Use offthe inbetweenwirelessandwired
SSIDbroadcastbyAPandconfiguretheAP network segments andimplementfilters.
not to respond to probe requests with SSID 15. Generally avoid dictionary words for pass
“any,” by setting your own SSID. Meaning, phrase in any authentication. Also make
rename the wireless network and change the the pass phrase more than 20 characters,
default name. especially if WPA-Pre Shared Key security
4. Changing the default WEP key settings, if is employed.
any. Changing the default IP address in the
AP to a different one. Change administrator’s
password from the default password. If the tyPEs of dEnIAl of sErvIcE
wireless network does not have a default AttAcks And PrEvEntIvE MEA-
password, create one and use it to protect the surEs
network.
. 5 Enabling the MAC filtering in AP level DoS orsimply means the inability of a user, process,
in RADIUS server or in both can tighten the or system to get the service that it needs or wants.
security more, as there is a restriction in the Common DoS attacks on networks include direct
use of MAC addresses (this step in itself, can attacks, remote controlled attacks, - reflective
bedefeatedthroughMACspoofing). tacks, and attacks with worms and viruses.
Vulnerability Analysis
DoS attacks are quite effective against wire- The OS level DoS attacks rely on the ways
less networks. The wireless management frames operating systems implement protocols. A typi-
which are transmitted in cleartext in a wireless cal example is the ping of death attack in which
network, informs the clients that they can connect Internet control message protocol (ICMP) echo
or disconnect. The de-authentication frame will requests having total data sizes greater than the
disassociate a wireless end device from an AP. maximum IP standard size to be sent to the targeted
Since they are sent in cleartext, they can easily be victim. This attack often has the effect of crashing
forged to force legitimate users out of the network. the victim’s machine.
This can be accomplished by replaying a previous In application-based attacks, machine or a ser-
disassociation frame with a wireless sniffer. An vice are compromised and set out of order either
attack on 802.11b with 802.11g mixed network by taking advantage of specific bugs in network
mode can affect the clear channel assessment (CCA) applications that are running on the target host or
process that brings down the probability that two by using such applications to drain the resources
wireless nodes will transmit on the same frequency of their victim. It is also possible that the attacker
simultaneously. This attack can cause all nodes in may have found points of high algorithmic com-
range to shut down until the attacker stops injecting plexity and exploits them in order to consume all
the malicious frame. A layer 2 encryption would available resources on a remote host.
be the only solution to this. The EAP-DoS attack In data ooding
fl attacks, an attacker uses all
involves injecting a number of EAP stat frames network bandwidth or any other device bandwidth
to an AP and if the AP cannot properly process by sending massive quantities of data and so caus-
all these frames, there is the chance that it might ing it to process extremely large amounts of data.
become inoperable. Another attack against the For instance, the attacker bombards the targeted
AP involves sending malformed EAP messages. victim with normal, but meaningless packets with
One of the recent attacks against the AP involves spoofed source addresses.
fillinguptheEAPidentifierspacethatallows 52
DoS attacks based on protocol features take
ID tags to keep track of each client instance. If an advantage of certain standard protocol features
attackercanood fl theAPwithalargenumber such as IPofand MAC source addresses. Typically,
client connection instances, using up this counter, the attacker spoofs these features. Several types of
a DoS attack can be achieved (Earle, 2006). DoS attacks have focused on domain name systems
Different researchers have categorized DoS and (DNSs), and many of these involve attacking DNS
DDoS from different perspectives. As documented cache on name servers. An attacker who owns a
in Christos and Aikaterini (2003), DoS attacks can name server may coerce a victim name server into
beclassifiedintofivedifferentcategories, cachingnamely:
false records by querying the victim about
(1) network device level attack, (2) operating system the attackers own site. A vulnerable victim name
(OS), level attack, (3) application level attack, (4) server would then refer to the rogue server and
dataood fl attack,and)protocol4( attack.
cache the answer (Davidowicz, 1999).
Network device level attack includes attacks Other researchers such as Papadimitratos and
that might be caused either by taking advantage of Hass (2002) and Marti, Giuli, Lai, and Baker (2001)
bugs or weaknesses in driver software or by try- describe DoS attacks in relation to routing layer
ing to exhaust the hardware resources of network and those at the link or MAC layer.
devices. Network level attacks may also involve Attacks at the routing layer could consist of the
compromising a series of computers and placing following: (1) the attacker participates in routing
an application or agent on the computers. The and simply drops a certain number of the data
computer then listens for commands from a central packets. This causes the quality of the connections
control computer. The compromise of computers todeteriorateandfurtherramifications - onthe
can either be done manually or automatically formance if TCP is the transport layer protocol that
through a worm or virus. is used;) 2the ( attacker transmits falsified rout
Vulnerability Analysis
updates. The effects could lead to frequent route address he/she wants to spoof. An attacker can
failures thereby deteriorating performance; (3) the learn the MAC address of the valid user by captur-
attacker could potentially replay stale updates. This ing wireless packets using any packet capturing
might again lead to false routes and degradation software by passively or actively observing the
in performance; and (4) reduce the time-to-live traffic.Webspoofingpermitsanattackertoobserve
(TTL) field in the IP header so that the packet andchangealltheWebtrafficsenttothevictim’s
never reaches the destination. Routing attacks machine and capture all data entered into the Web
are usually directed at dynamic routing protocols page forms (if any) by the victim. The attack can be
such as border gateway protocol (BGP), open done using Web plug-ins and JavaScript segments.
shortest path firstOSPF) ( , andenhancedThe interior
attack, once implemented, is started when
gateway routing protocol (EIGRP). Direct DoS or the victim visits a malicious Web page through a
DDoS attacks against routing protocols can lead to Web link in a malicious e-mail message sent by
regional outages. Another form of routing attack the attacker. DNS spoofing is where the attacker
iscalledrouteinjection,whichcanlead makes to traffic
a DNS entry to point to another IP address
redirection,prefixhijacking,andsoforth. thanAttacks
it would be generally pointing to. It works
at the MAC layer are described next. through stealth by unknowingly forcing a victim
to generate a request to the attacker’s server, and
Flooding and Spoofing Attacks then spoofing the response from that server. IP
spoofing is a process used to gain unauthorized
Flooding attack, as the name implies, involves the access to computers, whereby the attacker sends
generationofspuriousmessagestoincrease packets totraffic
a computer with spoofed IP address
on the network. While spoofing attacks involves implying that the message is coming from a trusted
the creation of packets with spoofed (i.e., forged) and genuine host.
source IP addresses and other credentials.
In smurf attack, an attacker sends a large amount ddos Attack
of ICMP echo traffic to a set of IP broadcast - ad
dresses, multiplying the traffic by theDDoS number of usually refer to an attack by use of
attacks
hostsresponding.ICMPooding fl attackuses public
multiple sources that are distributed throughout
sites that respond to ICMP echo request packets the network. In this attack, an attacker installs the
withinanIPnetworktoood fl thevictim’s DDoS site. It controls on a network of computers,
software
involvesooding fl thebufferofthetarget computer
mostly through security compromise. This allows
with unwanted ICMP packets. SYNood fl attack the attacker to remotely control compromised
is also known as the transmission control protocol computers, thereby making it handlers and agents.
(TCP) SYN attack and is based on exploiting the From a “master” device, the attacker can control the
standard TCP three-way handshake. In this case, slave devices and direct the attack on a particular
an attacker sends SYN packet to initiate connec- victim. Thousands of machines can be controlled
tion. The victim responds with the second packet from a single point of contact as shown in Figure
back to the source address with SYN-ACK bit set. 3. There are several types of DDoS attacks, but
The attacker never responds to the reply packet. In their methods are very similar in that they rely on
this case, the victim’s TCP receive queues would a large group of previously compromised systems
be filled up, denying new TCP connections. - toAndirect a coordinated distributed ood fl att
other variant of this attack is called user datagram against a particular target.
protocol (UDP) oodingfl attack Craig, ( . )0 2 ChristosandAikateriniclassified ) 30 2 ( DDoS
This attack is based on UDP echo and character based on the degree of the attack automation.
generator services provided by most computers on Theseclassificationsaremanual,semi-automatic
a network. In MAC spoofing attack, an attacker and automatic DDoS attacks. The manual attack
spoofs his/her original MAC address to the MAC involves manual scanning of remote machines for
Vulnerability Analysis
Figure3.DDoSattackscenariousingagents/zombiestofloodthevictim
Attacker
Control traffic to
handlers
Control traffic to
agents/zombies
Flooding traffic to
victim computer
victim
vulnerabilities, then the attacker breaks into anyone example, an image-based challenge may be used
of them to install attack codes. Semi-automatic at- to determine whether the client is a real human
tacks are partially manual and partially automatic. being or an automated script. A similar approach
In this case, the attacker scans and compromises based on capabilities was proposed in Agarwal,
handlers and agents by using automated scripts. Dawson, and Tryfonas (2003), and the method
He/she then types the victims address manually generally relies on clients having to ask the server
and the onset of the attack is specified by the
for permission to send packets. If the server decides
handler machines. In automatic DDoS attacks to allow the connection, it replies with a capabil-
the communication between attacker and agent ity token, which the client includes in subsequent
machines is completely avoided. In most cases packets and which the network polices.
the attack phase is limited to a single command Greenhalgh, Handley, and Huici (2005) de-
throughtheattackcodefile.Allthefeatures scribedan ofthe approachconsistedofdivertingtraffi
attack, for example the attack type, the duration, going to protected servers so that it traverses control
and the victims address are preprogrammed in the points. These control points would encapsulate the
attack code. This way, the possibility of revealing traffic,sendingittoadecapsulatorneartheserv
the attacker’s identity or source is very minimal. The server could then tell which control point a
A number of DDoS tools that are available from malicious ow fl had traversed, and request it be
the Internet have been identified byshut the Internet
down at this boundary. Signature-based and
Security Systems (ISS) (www.iss.net). anomaly based detection techniques are proposed
in Park and Lee (2001) and Shields (2002). Some
defense Mechanisms Against dos solutions involve the use of strong digital signature
Attacks based transport level authentication mechanisms as
recently proposed in Dierks and Allen (2006).
Several techniques to counter DoS and DDoS
attacks have been proposed by researchers, and Mechanisms Against Spoofing
we briefly discuss some of these techniques. A
challenge based mechanisms was proposed by Attackers launching spoofing usually hide the
Kandula, Katabi, Jacob, and Berger (2005). For identity of machines they used to carry out an
0
Vulnerability Analysis
Vulnerability Analysis
aid of malware, adware, or spyware; recursive Craig, A. H. (2000). The latest in denial of service
DNS attacks or the use of DNS server for DoS attacks:Smurfingdescriptionandinformationto
attack; and attacks against OpenEdge WebSpeed minimize effects. Retrieved May 17, 2006, from
platforms, and so forth. http://www.pentics.net/denial-of-service/white-
papers/smurf.cgi
Davidowicz, D. (1999). Domain name system
conclusIon (DNS) security. Retrieved June 23, 2006, from
http://compsec101.antibozo.net/ papers/dnssec/
This chapter explores some of the security vulner-
dnssec.html
abilities associated with 802.11 wireless networks.
Here basic issues with WEP and better protocols Dierks, T., & Allen, C. (2006). The TLS protocol
like TKIP and CCMP were discussed with some (RFC 2246). Retrieved December 7, 2006, from
advice on security precautions. Later emphasis http://www.ietf.org/rfc/rfc2246.txt
was given on DoS and DDoS attacks to show
Dworkin, M. (2004). Recommendation for block
how complicated and varied they are in nature.
cipher modes of operation: The CCM mode of
DoS attacks are done quite effectively against
authenticationandconfidentiality. Retrieved No-
wired and wireless networks and it costs much in
vember 17, 2006, from http://csrc.nist.gov/publica-
terms of the damages done. Defense mechanisms
tions/nistpubs/800-38C/SP800-38C.pdf
against such attacks are still not perfect and the
chapter eventually reviews and explains some sets Earle, A. E. (2006). Wireless security handbook.
of defense mechanisms that could help against Auerbach Publications, Taylor & Francis Group.
such attacks.
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weak-
nesses in the key scheduling algorithm of RC4.
Retrieved July 25, 2005, from http://downloads.
rEfErEncEs
securityfocus.com/ library/rc4_ksaproc.pdf
Agarwal, S., Dawson, T., & Tryfonas, C. (2003). Fontana, J. (2007). Network World. Retrieved
DDoS mitigation via regional cleaning centers April 5, 2007, from http://www.networkworld.
(Tech. Rep. No. RR04-ATL-013177). Sprint ATL com/news/2007/011907-microsoft-secure-vpn-
Research Report. tunneling-protocol.html
Blunk, L., & Vollbrecht, J. (1998). PPP extensible Gast, M. (2002). 802.11 wireless networks—The
authentication protocol (EAP) (RFC 2284). Re- definitiveguide. CA: O’Reilly Media.
trieved December 25, 2006, from http://www.ietf.
org/rfc/rfc2284.txt Greenhalgh, A., Handley, M., & Huici, F. (2005).
Using routing and tunneling to combat DoS attacks.
Cable, G. (2004). Wi-Fi protected access data In ProceedingsoftheWorkshop 502 onStepsto
encryption and integrity. Retrieved December ReducingUnwantedTrafficontheInternet.
17, 2006, from http://www.microsoft.com/technet/
community/columns /cableguy/cg1104.mspx Held, G. (2003). Securing wireless LAN. Sussex,
England: John Wiley & Sons.
Cam-Winget, N., Housley, R., Wagner, D., &
Walker,Security
J..) 302 ( aws
fl indata
1 .2 0 8 link Hurton, M., & Mugge, C. (2003). Hack notes—Net-
protocols. Communications of the ACM, 35-39. work security portable reference. CA: McGraw-
Hill/Osborne.
Christos, D., & Aikaterini, K. (2003). DoS attacks
anddefensemechanism:Classifications In-Stat. (2006). In-stat market survey. Retrieved
andstate-
of-the-art. Computer Networks, 44, 643-666. May 11, 2007, from http://www.in-stat.com
Vulnerability Analysis
Vulnerability Analysis
Chapter XI
Key Distribution and
Management for
Mobile Applications
György Kálmán
University Graduate Center – UniK, Norway
Josef Noll
University Graduate Center – UniK, Norway
AbstrAct
This chapter deals with challenges raised by securing transport, service access, user privacy, and ac-
counting in wireless environments. Key generation, delivery, and revocation possibilities are discussed
andrecentsolutionsareshown.Specialfocusisonefficiencyandadaptationtothemobil
Device domains in personal area networks and home networks are introduced to provide personal digital
rights management (DRM) solutions. The value of smart cards and other security tokens are shown and
asecureandconvenienttransmissionmethodisrecommendedbasedonthemobilephone
communication technology.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Key Distribution and Management for Mobile Applications
Protecting user data is of key importance for is authenticated, the user has to trust the network
all communications, and especially for wireless unconditionally. In universal mobile telecommu-
communications, where eavesdropping, man-in- nications system (UMTS), strong encryption is
the-middle, and other attacks are much easier. applied on the radio part of the transmission and
With a simple wireless LAN (WLAN) card and provides adequate security for current demands,
corresponding software it is possible to catch, but does not secure the transmission over the
analyse, and potentially decrypt wireless backbone.traffic.
UTMS provides mutual authentication
The implementation of the first WLAN - encryp
through an advanced mechanism for authentication
tion standard wired equivalent privacy (WEP) and session key distribution, named authentication
had serious weaknesses. Encryption keys can be and key agreement (AKA).
obtained through a laptop in promiscuous mode
in less than a minute, and this can happen through
a hidden attacker somewhere in the surrounding. A long wAy to sEcurE
Data protection is even worse in places with public coMMunIcAtIon
access and on factory default WLAN access points
without activated encryption. Standard Internet Applying some kind of cryptography does not im-
protocols as simple mail transport protocol (SMTP) ply a secured access. Communicating parties must
messages are not encoded, thus all user data are negotiate the key used for encrypting the data. It
transmitted in plaintext. Thus, sending an e-mail should be obvious that the encryption key used for
over an open access point has the same effect as the communication session (session key) cannot be
broadcasting the content. With default firewall
sent over the air in plaintext (see Figure 1).
settingsanintruderhasaccesstolocal Inordersince
files, toenableencryptionevenforthefirst
the local subnet is usually placed inside the trusted message, several solutions exist. The simplest
zone. These examples emphasise that wireless links one, as used in cellular networks is a preshared
needsomekindoftrafficencryption. key supplied to the mobile terminal on forehand.
Whenthefirstwidespreaddigital - cellular
This key cannet be used later for initialising of the
work was developed around 1985, standardisation security infrastructure and can act as a master key
of the global system for mobile communication in future authentications.
(GSM) introduced the A5 cryptographic algo- In more dynamic systems the use of preshared
rithms, which can nowadays be cracked in real-time keys can be cumbersome. Most of WLAN encryp-
(A5/2) or near real-time (A5/1). A further security tion methods support this kind of key distribution.
threat is the lack of mutual authentication between The key is taken to the new unit with some kind of
the terminal and the network. Only the terminal out of band method, for example with an external
unit, as indicated in Figure 2. Practically all pri-
vate and many corporate WLANs use static keys,
allowing an eavesdropper to catch huge amounts
Figure 1. A basic problem of broadcast environ- of traffic and thus enable easy decryption of the
ment content. This implies that a system with just a se-
cured access medium can be easily compromised.
Non-aging keys can compromise even the strongest
encryption, thus it is recommended to renew the
keys from time to time.
Outside the telecom world it is harder to distrib-
ute keys on forehand, so key exchange protocols
emerged, which offer protection from the first
message and do not need any preshared secret.
The most widespread protocol is the Diffie-Hell -
Key Distribution and Management for Mobile Applications
Figure2.(a)Diffie-Hellmannkeyexchangeand(b)out-of-bandkeydelivery
(a) (b)
man (DH) key exchange of Figure 2, which allows Two keys, a public and a private are generated.
two parties that have no prior knowledge of each The public key can be sent in plaintext, because
other to jointly establish a shared secret key over messages encrypted with the public key can only
an insecure communications channel. be decoded by the private key and vice versa. The
This protocol does not authenticate the nodes to two way nature of public keys makes it possible to
each other, but enables the exchange data, which authenticate users to each other, since signatures
can be decoded only by the two parties. Malicious generated with the public key can be checked with
attackers may start a man-in-the-middle attack the public key. Message authenticity can be guar-
(see Figure 4). Since this problem is well-known, anteed. Still, the identity of the node is not proven.
severalmodificationsenableidentity based
The DH,for
signature proves only that the message was
example Boneh, Goh, and Boyen (2005) showed encoded by the node, which has a public key of the
a hierarchical identity based encryption method, entity we may want to communicate with.
which is operating in fact as a public key system, Identity can be ensured by using certificates.
where the public key is a used chosen string. CertificateauthoritiesCA) ( storepublickeysan
Public key infrastructure (PKI) can help de- after checking the owner’s identity out of band,
fending corresponding parties against man-in-the- prove their identity by signing the public key
middle attacks. Public key cryptography is based and user information with their own keys. This
on the non polynomial (NP) time problems, for methodisrequiredforfinancialtransactionsa
example of factorisation or elliptic curves. business and government operations. Without a
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
Figure 4. TLS key negotiation data transferred over the radio interface beside the
high computing power needs.
In environments with limited resources, au-
thentication and identity management based on
preshared keys is still the most effective solution.
Badra and Hajjeh (2006) propose an extension to
TLS, which enables the use of preshared secrets
instead the use of asymmetric encryption. This is
in line with the efforts to keep resource needs at
the required minimum level in mobile devices. A
preshared key solution was also proposed by the
3rd Generation Partnership Projects (3GPP, 2004)
and (3GPP2, 2007) as an authentication method
for wireless LAN interworking. The problem with
the proposed solution is preshared keys does not
provide adequate secrecy nor identity protection in
Internet connections. To deal with this problem, the
Figure5.TLS-KEMkeynegotiation TLS-key exchange method (TLS-KEM) provides
identity protection, minimal resource need, and
full compatibility with the original protocol suite
as seen in Figure 6.
In direct comparison, the public key based
TLSneedsalotmorecomputing,datatraffic,and
deployment effort.
In UMTS networks, an array of authentication
keys is sent to the mobile in authentication vec-
tors. In the computer world a good solution would
be using hash functions to calculate new session
keys, as these consume low power and require
little computing.
A moving terminal can experience a commu-
nication problem, as the overhead caused by key
negotiation might extend the connection time to a
network node. A preserved session key for use in
the new network is a potential solution in a mobile
leastfixedenvironment,computational costofkey
environment, as it speeds up the node’s authentica-
negotiations is usually neglected. For example TLS tion. Lee and Chung (2006) recommend a scheme,
is using several public key operations to negotiate which enables to reuse of session keys. Based on
a session key. This can be a problem for mobile the AAA infrastructure, it is possible to forward
devices, since computational cost is much higher the key to the new corresponding AAA server on
in asymmetric encryption. The standard TLS suite a protected network and use it for authentication
uses lots of cryptographic operations and gener- without compromising system security. This can
ates a too large message load on wireless links reduce the delay for connecting, and also reduces
(see Figure 5). the possibility of authentication failure. Since the
If a mobile device wants to execute mutual old session key can be used for authenticating the
authentication with a service provider, with cer- node towards the new AAA server, connection
tificate exchanges, it can lead to big amounts to the homeofAAA is not needed any more. The
Key Distribution and Management for Mobile Applications
messages are exchanged as follows (Lee & Chung, mances for public key based mechanisms (Lim,
2006): when sending the authorisation request to Lim, & Chung, 2006). Mobile IPv4 uses symmet-
the new network, the node also includes the old ric keys and hashes by default. Since symmetric
network address it had. The foreign agent connects keys are hard to manage, a certificate-based key
to the new local AAA server and sends an authen- exchange was recommended, but this demands
tication request. The new AAA server connects more resources. To lower the resource demand, a
to the old one sending a message to identify the composite architecture was recommended (Sufa-
user. The old AAA authenticates the message by trio,.) 9The
1 procedure uses certificates only
checking the hash value included, and generates a in places where the terminal does not require
nonce for the terminal and the foreign agent. The processing of the public key algorithm and does
server composes an AAA-terminal answer, which notrequirestorageofthecertificate.
is composed from a plain nonce, an encrypted nonce The result of the comparison shows that hash
using the key shared between the old foreign agent isbyfarthemostefficientmethodintermsofkey
and the terminal. Then the whole message is signed generation,butsuffersfrommanagement - difficul
and encrypted with the key used between the two ties. Lim et al. (2006) also demonstrates that a pure
AAA servers. When the new AAA receives it, certificate-based authentication is unsuitab
decrypts and sends the message to the new foreign mobileenvironments.Partialuseofcertificatesa
agent. Based on the plain nonce, the agent generates identity-based authentication with extensive use of
the key and sends down the reply, which includes hash functions can be a potential way ahead.
also the nonce encrypted by the old AAA. After
the authentication of the user towards the network,
the user can start using services. AutHEntIcAtIon of dEvIcE
Key distribution and efficiency- in grouPs e- com
merce applications is another important aspect.
The network’s AAA usually does not exchange In a ubiquitous environment, moving networks
information with third parties or can not use the appear. PANs and ad hoc connections based on
authentication data of the network access because various preferences emerge and fall apart. These
of privacy issues. Current security demands require devices communicate with each other and have
mutualidentificationofcommunicating parties
usually in
very limited capabilities in terms of
an e-commerce application. This can easily lead computing power and energy reserves. In order
to compromising the customer to companies (for to provide secure communication between any
example in a GSM network, the user has to trust part of the network, hierarchical key management
the network unconditionally). If the user can also methods emerged (Kim, Ahn, & Oh, 2006). Here
check the identity of the service provider, at least a single trusted server is used to manage the group
man-in-the-middle attacks are locked out. key. These entities are usually storing the keys in
When a user starts a new session with a service a binary tree, where nodes are the leaves.
provider, this session should be based on a new Public key operations are usually required
key set. The session key has to be independent when a terminal wants to connect to a group for
from the previous one in means of traceability thefirsttime.Agroupmanagementsystemneeds
and user identity should not be deductible from frequent key generation rounds, because it has to
the session key, thus ensuring user privacy. For ensure forward and backward secrecy. Strict key
mutual identification, a key exchange method management ispolicies ensure that no new node is
proposed by Kwak, Oh, and Won (2006), which capableofdecodingformertrafficandnoneofthe
uses hash values to reduce resource need. The key old nodes have the possibility to decrypt current
calculation is based on random values generated traffic.Toadjustresourceusageto-mobileenviron
by the parties, which ensures key freshness. ment, a management scheme which uses mainly
The use of hash functions is recommended in simple operations like XOR and hash is advisable
mobile environments, providing better perfor- (Kim et al., 2006). As the key in the root of the
0
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
to the threshold scheme shown before, but enables and SIM cards with enhanced encryption ca-
key revocation. If z nodes are accusing one node pabilities. The SIM and USIM modules used in
to be compromised, based on their own opinion, GSM/UMTS are quite capable smart cards. They
the node is forced to negotiate a new key. If a node offer protected storage with the possibility of over
reaches a threshold in number of regenerations in a the air key management, good user interface, and
time period, it could be locked out, since most likely standard architecture. Danzeisen, Braun, Rodel-
an intruder is trying to get into the system or the lar, and Winiker (2006) shows the possible use
internal security of the node is not good enough. of the mobile operator as trusted third party for
The assumptions about the system are strongly exchanging encryption keys out of band for other
limiting the effectiveness of the solution. The most networks.
stringent assumption is that they require to nodes to Delivery of the mobile phone key to a differ-
be in promiscuous mode. This can lead to serious ent device can be problematic, since most devices
energy problems. Another requirement is that there do not have a SIM reader, or it is inconvenient
has to be a unit for out-of-band key distribution. to move the SIM card from the mobile phone to
This unit could be the cellular phone. another device. New developments in near field
communication may overcome this and enable
short range secure key transfer.
sMArt cArds And cEllulAr
oPErAtors
brEAkIng tHE lAst cEntIMEtrE
boundAry
The use of smart cards has its roots in the basic prob-
lem of security infrastructures: even the most well
designed system is vulnerable to weak passwords. Frequency of authentication request is a key factor
A card, which represents a physical entity, can be in user acceptance. If a system asks permanently for
much easier protected compared to a theoretical new passwords or new values from the smart card
possession of a password. Smart cards integrate hash chain, it will not be accepted by the user. On
tamper resistant storage and cryptographic func- the other hand, if a device gets stolen and it asks
tions. They are usually initialised with a preshared for a password only when it is switched on, then
key and creating a hash chain, where values can a malicious person can impersonate the user for a
be used as authentication tokens. long time. A potential solution is to create a wear-
The remote authentication server is using the able token with some kind of wireless transmission
same function to calculate the next member. The technologyanddefinethedevicebehavioursuch
encryption key is the selection of a collision resis- that if the token is not accessible, it should disable
tant hash function. While the tokens they provide itselfintheverymomentofnotification.
are quite secure, a problem with smart cards is that Since the main challenge is not securing data
they represent a new unit that has to be present in transfer between the terminal and the network, but
order to enable secure communication, and user to authenticate the current user of the terminal, a
terminals must be equipped with suitable read- personal token has to be presented. As proposed
ers. The additional hardware does not only cause by Kálmán and Noll ,027)( the mobile phone
interoperability problems, but is usually slow, as a can be a perfect personal authentication token
measurement conducted shows (Badra & Hajjeh, if it is extended by a wireless protocol for key
This
.0 2 6 ) becomeseminentwhenhightrafficis distribution.
associated with asymmetric encryption; sending With the capabilities of user interaction,
a “hello” message with standard TLS to the smart network control of the mobile phone, it can be
cardneededseconds. 01 Incontrast,themodified ensured that critical operations will need user
TLS-KEM needed 1.5 s. presence by requiring PINs or passwords. Pos-
A user-friendly, seamless key delivery system sible candidates for key exchange are Bluetooth
can be created with the help of cellular operators
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
Key Distribution and Management for Mobile Applications
a ubiquitous computing environment. In Com- the 4th ACM workshop on Digital rights manage-
putational Science and Its Applications—ICCSA ment, Washington, DC.
02 6 (LNCS 3983).
Ren, K., Lou, W., Kim, K., & Deng, R. (2006).
Kwak,J.Oh,
, S.Won,
&, D.Efficient
.0 2 6 ) ( key A novel privacy preserving authentication and
distribution protocol for electronic commerce access control scheme for pervasive computing
in mobile communications. In Applied Parallel environments. IEEE Transactions on Vehicular
Computing (LNCS 3732). Technology,5 (4), 1373-1384.
Lee, J.-H., & Chung, T.-M. (2006). Session key Rieback, M. R., Gaydadjiev, G. N., Crispo, B.,
forwarding scheme based on AAA architecture Hofman, R. F. H., & Tanenbaum, A. S. (2006,
in wireless networks. In Parallel and Distributed December 3-8). A platform for RFID security and
Processing and Applications (LNCS 4330). privacy administration. Paper presented at the
20th USENIX/SAGE Large Installation System
Lim, J.-M., Lim, H.-J., & Chung, T.-M. (2006).
Administration Conference—LISA 2006, Wash-
Performance evaluation of public key based
ington, DC.
mechanisms for mobile IPv4 authentication in
AAA environments. In Information Networking. Sufatrio, K. Y. L. (1999, June 23-25). Registra-
Advances in Data Communications and Wireless tion protocol: A security attack and new secure
Networks (LNCS 3961). mini-mal public-key based authentication. Paper
presented at the International Symposium on
Nicholson, A. J., Corner, M. D., & Noble, B. D.
Parallel Architectures, Algorithms and Networks,
(2006). Mobile device security using transient
ISPAN’99. Fremantle, Australia.
authentication. IEEE Transactions on Mobile
Computing, 5 1489-1502.
(11), Sur,C.Rhee,
&, K.H.An
.026)( efficientauthen -
ticationandsimplifiedcertificate - statusmana
Noll, J., Ribeiro, V., & Thorsteinsson, S. E. (2005).
ment for personal area networks. In Management
Telecom perspective on scenarios and business in
of Convergence Networks and Services (LNCS
home services. In Proceedings of the Eurescom
4238).
Summit502 (pp 249-257).
Zou, X., Thukral, A., & Ramamurthy, B. (2006).
Nützel, J., & Beyer, A. (2006). How to increase
An authenticated key agreement protocol for mobile
the security of digital rights management systems
ad hoc networks. In Mobile Ad-hoc and Sensor
without affecting consumer’s security, In Emerg-
Networks (LNCS 4325).
ing Trends in Information and Communication
Security (LNCS 3995).
Pfeifer, T., Savage, P., Brazil, J., & Downes, B.
kEy tErMs
(2006). VidShare: A management platform for
Diffie-Hellman Key Exchange: Diffie-Hell -
peer-to-peer multimedia asset distribution across
man key exchange is a procedure, which allows
heterogeneous access networks with intellectual
negotiating a secure session key between parties,
property management. In Autonomic Management
who do not have any former information about
of Mobile Multimedia Services (LNCS 4267).
each other. The negotiation messages are in band,
Phillips, T., Karygiannis, T., & Kuhn, R. (2005). but because of the non-polynomial (NP) problem
Security standards for the RFID market. IEEE used in the procedure, adversaries are not able to
Security & Privacy Magazine, 3(6), 85-89. compromise it.
Popescu, B. C., Crispo, B., Tanenbaum, A. S., & Mutual Authentication: Mutual authentica-
Kamperman, F. L. A. J. (2004). A DRM security tion occurs when the communicating parties can
architecture for home networks. In Proceedings of mutually check each others identity, thus reducing
Key Distribution and Management for Mobile Applications
Chapter XII
Architecture and Protocols for
Authentication, Authorization,
and Accounting in the Future
Wireless Communications
Networks
Said Zaghloul
Technical University Carolo-Wilhelmina – Braunschweig, Germany
Admela Jukan
Technical University Carolo-Wilhelmina – Braunschweig, Germany
AbstrAct
The architecture, and protocols for authentication, authorization, and accounting (AAA) are one of the
most important design considerations in third generation (3G)/fourth generation (4G) telecommunica-
tionnetworks. Many advanceshavebeenmadetoexploitthebenefits of the current syst
the protocol remote authentication dial in user service (RADIUS)protocol, and the evolution to migrate
into the more secure, robust, and scalable protocol Diameter. Diameter is the protocol of choice for the
IP multimedia subsystem (IMS) architecture, the core technology for the next generation networks. It is
envisioned that Diameter will be widely used in various wired and wireless systems to facilitate robust
and seamless AAA. In this chapter, we provide an overview of the major AAA protocols RADIUS and
Diameter, and we discuss their roles in practical 1xEV-DO network architectures in the
network tiers: access, distribution, and core. We conclude the chapter with a short summary of the cur-
rent and future trends related to the Diameter-based AAA systems.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Architecture and Protocols for AAA
Architecture and Protocols for AAA
FigureA1. 1xEV-DOreferencenetworkarchitecture
Acronyms diameter
bts: Base Transceiver Station
rnc: Radio Network Controller A10/A11
An/AAA: Access Network AAA
Pdsn: Packet Data Serving Node Primary PDSN MIP
MIP: Mobile IP
RNC HA
link (FA) tunnel
fA: Foreign Agent
HA: Home Agent A12
diameter
tA An/AAA
fail
tA: Diameter Translation Agent
IMs: IP Multimedia Subsystem
ove
sftP: Secure File Transfer Protocol
sq
ora net 2
r li
sql: Structured Query Language
sftP
l*
cle
nk
Billing users IMs Internet
Internet
bts 1 System IMs
t1 circuits db
bts 3 Multimedia domain (MMd)
bts 2
bts 5
bts 4 tA An/AAA
A12 PDSN
bts 6 RNC HA
(rAdIus) (FA)
1xEv-do radio Access network (rAn)
based on the MN-AAA shared secret and responds of Diameter at all the three major network tiers in
to the PDSN. In case of successful authentication, the wireless network, including access, distribu-
the PDSN proceeds with the MobileIP registration tion, and core. Finally, we summarize the chapter
process with the HA and establishes a MobileIP and discuss open issues and future work.
tunneltoservetheuser’straffic.Atthispoint,the
PDSN starts to generate accounting towards the
AAAservertoreflectthesubscriber’s - usage.Ac
bAckground
counting data is reformatted and is communicated
to the upstream billing systems for further process- the rAdIus Protocol
ing. Here, we assume simple secure FTP (SFTP)
communication. Note that the PDSN also connects AAAsystemsreceivedsignificantattentionfrom
to multiple AAA’s for redundancy purposes. In our network service providers throughout the past
illustrative architecture, the PDSN implements the decade. The need for a standardized, simple, and
Diameter MobileIP application and thus needs no scalable protocol that accomplishes the required
translation functionality. AAA functionality was the main motivation for
In this illustrative reference architecture, RA- the introduction of the (RADIUS) protocol (Ri-
DIUS is deployed in the access tier and translation gney, 2000; Rigney Willens, Rubens, & Simpson,
agents were utilized to convert between RADIUS 2000; RFC2866). In 1998, RADIUS was the only
and Diameter, while Diameter applications at protocolthatseemedtosatisfytheIETFNASREQ
the distribution and network tiers were natively working group’s requirements for authentication
supported. Following this example, we organize and authorization (Rigney, 1998). Due to its wide
the chapter as follows. First, we present the AAA implementation by many networking equipment
concept and quickly survey RADIUS and its cur- vendors, its simplicity and scalability, it became
rent deployment features. Then, we discuss the the protocol of choice for many service providers.
evolution from RADIUS to Diameter and shortly RADIUS was quickly extended to support various
review the current Diameter standard. Afterwards, networking protocols such as MobileIP (Perkins,
we illustrate a prospective end-to-end application 2002), IP security (IPsec) (Kent & Seo, 2005), and
the IEEE 802.1x authentication.
0
Architecture and Protocols for AAA
nAs
Internet PPP
Pstn PPP
Internet
RADIUS Traffic
& Authorization
Authentication
Accounting
sql, ldAP s/ftP, sql
db
users’ database
AAA server billing systems
In RADIUS, after the user is granted access, the granted access, the NAS generates accounting
network access server (NAS) generates accounting messages based on user’s activity (connection time,
messages based on the user’s activity. The NAS is total bytes used, etc).
usually the gateway to the IP network. Routers, The RADIUS message format is shown in Fig-
WiFi access points (APs), PDSNs, and gateway ure 3. It consists of a 20 octet header followed by
general packet radio service (GPRS) support nodes multiple AVPs. AVPs include standardized types
(GGSN) in GPRS networks, are typical examples of and values. For example, the username is passed to
NASs in telecom networks. As shown in Figure 2, the AAA server using the User-Name attribute. To
a user tries to access the Internet through a dialup allow expandability, the AVP type 26 is reserved
modem connection. The PPP protocol is mainly for vendor-specific AVPs (VSAs). Thus, a vendor
used to establish the communication between the requests a Vendor IDfrom the Internet Assigned
user and the NAS, that is, the router in this example. Numbers Authority (IANA) to be able to define
The NAS attempts to authenticate the user either specificattributesforhisequipment.Thefollowin
through the password authentication protocol (PAP) are sample vendor ID values: Cisco (9), Nortel (2637),
or the challenge handshake authentication protocol 3GPP (10415), and 3GPP2 (5535). Usually, AAA
(CHAP). Upon obtaining the responses from the implementationsincludedictionaryfilesthatde
client, the NAS generates an Access-Request and the AVP type and the expected values, for example
sends it to the RADIUS server in order to validate refer to Braunöder (2003). RADIUS accounting
the user’s responses. Typically, the RADIUS server is composed of three primary message types: (1)
is connected to an external database that contains the Accounting-Start, (2) Accounting-Interim, and (3)
user’s credentials and authorized services. Thus, the Accounting-Stop. Accounting messages usually
RADIUS server returns an Access-Accept message carry the user’s session information. For example,
if the user credentials are valid, otherwise it returns in CDMA2000-based systems accounting messages
an Access-Reject. The Access-Accept message may may contain the user’s assigned IP address; user’s
contain authorization information. For example, sent and received byte counts; user’s electronic
anAccess-Acceptmessagemaycontain:filters to calling and called station numbers;
serial number;
granttheuseraccesstointernalnetworks, accounting specific
session ID; BS ID; and so forth, (3GPP2
routing instructions to the NAS, quality of service A.S0008-B, 2006; 3GPP2 X.S0011-005-C, 2006).
QoS)
( settings,andsoforth.Thisauthorization set
Note that the electronic serial number and the BS
is returned as a group of attribute value pairs (AVP) ID attributes are 3GPP2 VSAs augmented to the
in the Access-Accept message.2 Once the user is standard RADIUS AVPs.
Architecture and Protocols for AAA
Code
Code ID
ID Length
Length Authenticator
Authenticator Multiple AVPs
AVPs
rAdIus Header (20 octets)
notes
The authenticator field is a random nonce in the requests while in
the responses it is a MD hash calculated using the shared secret
between the NAS and the AAA server and the random nonce from
the corresponding requests
An Access -Challenge is usually used when multiple round trips are
needed for authentication, for example RADIUS extensions for EAP
Accounting requests are identified by the value of the
Acct -Status --Type attribute (AVP 0) {=Start, =Stop, =Interim}
RADIUS offers reliability over the intrinsically the request to another RADIUS server. Such poli-
3
unreliable user datagram protocol (UDP) by requir- cies are occasionally based on the domain in the
ing a response for each request. If a response is user’snetworkaccessidentifier( NAI)Standards .
notreceivedwithinapredefinedtimeperiod (Aboba &TO)( Vollbrecht,
, 1999) refer to this setup as
the request times out. It is then up to the requestor the proxy-chain configuration. For instance, in a
(RADIUS client) to either retry the same server, roamingscenariothehostAAAisusually - config
another RADIUS server, or even drop the request. ured to forward AAA requests from the hosting
The timeout value and the maximum number of NAS to the home AAA. Note that multiple proxies
allowed retransmissions are configurable - paramalong the path to the home AAA
maybe traversed
eters at the client. It is noteworthy to mention that server as shown in Figure 4.
the failover mechanism was not standardized in
RADIUS and often raised interoperability issues Evolution from rAdIus to diameter
due to the inherent differences in the AAA imple-
mentations (Calhoun, Loughney, Guttman, Zorn, Diameter Protocol Overview
& Arkko, 2003).
RADIUS follows a client/server model where As network architectures evolved and with the
clients maybe NASs or other RADIUS servers. tremendous growth in the wireless data infrastruc-
RADIUS clients and servers share a common secret tures, secure inter-domain communication among
to secure their communications. This method is various AAA servers to exchange subscribers’
weak and is only intended to secure communica- credentials, profiles, and accounting - informa
tion within a trusted network.4 Sometimes an AAA tion became an absolute necessity. Despite its
server serves as a RADIUS client/proxy when it is tremendous success, RADIUS inherent security
provisioned with a policy instructing it to forward vulnerabilities, its questionable transport reli-
Architecture and Protocols for AAA
Figure4.Proxychainconfiguration
visited network Intermediate broker network Home network
access-request access-request
visited Home
rAdIus Host rAdIus rAdIus
network’s rAdIus
nAs AAA Proxy 1 Proxy 2
AAA server
access-accept access-accept
Figure5.Diameterprotocol
legend
Fields carried over from RADIUS
4-bits
R P E T Reserved
request = Proxiable = Error = Potentially Retransmitted =
Answer = 0 Local Only = 0
v : Vendor Specific
V M P Reserved M : Mandatory
P : Requires End-to-End Security
ability, and its limited redundancy support were by standardized failover and failback (recovery)
the primary reasons for the introduction of the mechanisms.
Diameter protocol (Calhoun et al., 2003) as a sub- Diameter RFC reused many of the RADIUS
stitute protocol. Diameter was carefully designed message codes and attributes and extended them.
to address security and reliability while thoroughly Figure 5 shows Diameter’s header format. The
exploitingthebenefitsofRADIUS.Thus,secure framed fields in Figure 5 are those carried over
transmission mechanisms using a choice of IPsec from RADIUS. In contrast to RADIUS, note the
or transport layer security (TLS) protocols were introduction of the Version, Command Flags, Ap-
integrated into Diameter, while reliable transport plication ID, Hop-By-Hop ID, and End-to-End ID
was enhanced by designing Diameter to run over fieldsinDiameter.Alsonotetheincreaseinsizeof
either stream control transmission protocol (SCTP) themessagelengthfieldfrom ( octets
2 inRADIUS
or transmission control protocol (TCP) supported to 3 in Diameter). Note also that the authenticator
Architecture and Protocols for AAA
fieldisnolongerpresentassecurityis theguaranteed
request from prior to forwarding it. The reader
by the integrated IPsec and TLS protocols. Com- is encouraged to refer to Calhoun et al. (2003) for
mand codes in Diameter start from 257 to maintain more information on routing AVPs and their usage.
compatibility with RADIUS. Unlike in RADIUS, Finally redirect agents, as their name implies, are
the requests and answers have the same command used to refer clients to alternative AAAs. Redirect
codes in Diameter, for example, the accounting agents may act as proxies or end servers for other
request (ACR) and answer (ACA) commands have requests. For example, an AAA server may handle
the command-code of 271. Diameter nodes can the Diameter base accounting messages while
recognize message types (e.g., whether it is ACA or redirecting requests that require Diameter server
ACR)basedonthe“R”ag fl inthecommandags fl support for MobileIP. Figure 6 summarizes the
shown in Figure. 5The “P” ag fl instructs nodes functionality of Diameter agents and illustrates the
whether a message must be processed locally and messageow fl inorderoftransmission.InFigure
shouldnotbeforwarded.The“E”ag fl alongwith
6a, the relay agent only forwards the Diameter
the result-code AVP is used to indicate errors (and Authentication and Authorization Request (AAR)
possibly redirection as we will see later). Finally, to Provider’s B Diameter server. In Figure 6b, the
the“T”ag fl isusedtoindicateapossible - duplica
proxy agent has an outbound policy for AAR to
tion in case of retransmissions after a failover. add or override the session Idle-Timeout attribute
Figure 5 also shows Diameter’s AVP structure. to 4,000 seconds and maximum link MTU to 1,300
The most significant addition is the inclusion bytes.Itisalso of configuredwithaninboundpolicy
theags fl field. for the Authentication and Authorization Answers
(AAA) to remove any instructions for compression.
Diameter Agents Figure 6c shows the translation agent’s role. Note
that a translation agent may at the same time act
To facilitate migration from the current RADIUS as a proxy, that is, add, modify, or remove AVPs
infrastructure, Diameter offers indirect backward while converting between RADIUS and Diameter.
compatibility by introducing translation agents to Finally, as shown in Figure 6d, the Diameter client
convert RADIUS messages into Diameter mes- issues an AAR towards the redirect agent. Once
sages and vice versa. Besides the main incentive received, the redirect agent sends back an AAA
of reusing as much of the RADIUS codes and with the “E” ag fl set with the result-code AVP
attributes as possible for simpler migration, such set to DIAMETER_REDIRECT_INDICATION
reuseisalsobeneficialinreducingthe amount
instructing theofDiameter client to contact dest.com
processing on the translation agents. Diameter by using the Redirect-Host AVP. A redirect agent
supportsabroaderdefinitionofscalability may also to suite
provide indication on the usage of the
roaming scenarios by including relay and redirect redirect instruction, that is, whether its response
agents while still maintaining the RADIUS proxy is meant for all realms or simply restricted for the
agent model, therefore allowing the deployment of request’s realm, whether the redirection policy
different architectures. should be cached at the requestor (Client), and for
A proxy agent is used to forward Diameter traf- how long, and so forth.
fictoanotherDiameterpeerinordertohandlethe
request. The decision to forward requests is policy Server Initiated Messages in Diameter
based as in RADIUS. Proxy agents may modify
packets and may originate rejection messages in Unlike RADIUS, Diameter is a peer-to-peer pro-
case of policy violation, for example, in case of tocol where any Diameter node may act as a client
receiving requests from unknown realms. On the or server at any time. Peers are simply the next hop
other hand, relay agents only forward requests with- nodes that a Diameter node communicates with.
out modifying any of the non-routing attributes. A significant improvement over RADIUS is that
Relays and proxies are required to append the route- Diameter has mandatory support of server-initiated
record AVP with the identity of the peer it received messages to allow operations like re-authentication
Architecture and Protocols for AAA
Figure6.Diameteragents’operation
4 AAA 3 AAA
4 AAA 3 AAA
Add/override (AAr)
Idle-Timeout = 000
no change to any non-routing attributes Framed-MTU = 00
remove (AAA)
Framed-Compression
AcronyMs the proxy modifies diameter messages
Diameter by introducing the concept of Diameter the Diameter credit control application but
applications. does not depend on it. Moreover, Diameter
It is important to understand that RFC 3588 SIP allows locating SIP servers when a SIP
definestheminimumprerequisitesforaDiameter agent requests routing information. Finally,
node implementation and maybe used by itself it provides a mechanism for pushing updated
only for accounting. In case of authentication and userprofilestotheservingSIPserverincase
authorization, a Diameter node must implement a theprofileisadministratively)
( updated.
specificapplication.Themostcommonapplications
are Diameter NAS (Calhoun, Zorn, Spence, & Mit- Finally, it is extremely important to understand
ton, 2005) and MobileIPv4 (Calhoun, Johansson, thatDiameterapplicationsneedtobedefinedonl
Perkins, Hiller, & McCann, 2005). The Diameter when none of the existing Diameter applications
NASapplicationdefinesNAS-relatedrequirements can support the required message ow fl without
where PPP-based authentication/authorization is majormodifications.Suchmajorchangesinclude
needed.DiameterMobileIPv4application defines
adding new mandatory AVPs, commands requiring
AAA functionality in scenarios where users roam differentmessageows fl fromanyofthecurrently
into foreign provider networks. The concept of definedapplications,orrequiringsupportfornew
Diameter applications was employed in many authentication methods with new AVPs (Fajardo
areas, and the following is a summary of three & Ohba, 2006).
major Diameter applications,
Protocol Mechanisms
• Diameter credit control application (Hakala,
Mattila, Koskinen, Stura, & Loughney, 2005) Diameter Peer Discovery
is proposed to handle online billing for prepaid
solutions. Prepaid billing implies real-time Diameter offers three primary means to discover
rating for the requested service, user’s bal- Diameter peers: static, Service Location Protocol
ance validation, and service suspension once Version 2 (SLPv2) queries, and domain name sys-
the user’s account is exhausted. Debiting and tem. Thus, a peer table entry is created after peer
crediting are also supported for some appli- discovery is executed. Note that peer discovery
cations such as gaming. Note that Diameter maybe triggered upon the reception of a CER. In
accountingdefinedinCalhounetal. some) 302 ( cases, policies may allow establishing con-
is mostly suitable for postpaid services where nections with unknown peers. In this case, the
off-line processing of accounting records is peer table entry is built from the peer’s identity in
performed. the CER and expires as soon as the connection is
• Diameter EAP (Eronen, Hiller, & Zorn, 2005) closed. In most of the cases, peer table entries for
is used to support end-to-end authentication in known peers are created along with their advertised
dial-up, 802.1x, 802.11i, and in IPsec IKEv2. applications. Thus, only requests for advertised
It eliminates the possibility of man-in-the- applications are forwarded to these peers.
middle attacks if node is compromised within
a proxy chain. Diameter Policies
• The Diameter Session Initiation Protocol (SIP)
application (Garcia-Martin, Belinchon, Pal- Routing tables provide guidance to the Diameter
lares-Lopez, Canales-Valenzuela, & Tammi, node on how to process a received request. Figure
2006) supports HTTP digest authentication 7 illustrates an example realm routing table for
(RFC2617) mandated by SIP (Rosenberg et Relay/Proxy Agent. Note that a policy includes
al., 2002) to allow SIP user agents and proxies a realm, an application identifier, and an action.
to authenticate and authorize user’s requests When forwarding is needed, the next hop server
to access certain resources. This application is given and whether the route entry was statically
does not depend on the Diameter NAS nor or dynamically discovered (through a redirect,
MobileIPv4 applications, where as it supports for example), along with its expiration time. The
Architecture and Protocols for AAA
RealmName=myMIPdomain.com, ApplicationID=MobileIPv4,
Action=REDIRECT, Next-Hop=ServerMIP.com,
Dynamic:ExpirationTime=900
RealmName=myMIPdomain.com, ApplicationID=DiameterNAS,
Action=PROXY, Next-Hop=ServerACT.com, Static, Proxy_Policy =
{outbound[Idle-Timeout=400],inbound[remove framed-compression]}
default policy in case no route is available is to a primary server and multiple secondary servers
return an error message with the DIAMETER_UN- for redundancy. When a communication problem
ABLE_TO_DELIVER result code. is detected, a secondary server is promoted to
primary and the primary is suspended. Notice that
Diameter Request Routing this is important to guarantee consistent failover
for all requests.
Diameter request routing refers to the process The link is considered responsive as long as
needed when originating, sending, and receiving acknowledgements arrive. If the link is idle for
requests. When originating a request, the Diameter “tw” seconds then a device watchdog request
node sets the Application-ID, the Origin-Host and (DWR) is sent. If no device watchdog answer
Origin-Realm AVPs along with the Destination- (DWA) arrives in “tw” seconds, the primary is
Host and/or realm. When receiving a message, the suspended, the secondary server is promoted,
node checks the route-record AVP to make sure that and all subsequent communication is sent to the
6
there are no routing loops. It also checks whether promoted server. Note that outstanding messages
it is the ultimate destination of the message. If maybe sent on the failover link and in this case the
not, the node acts as an agent and according to its “T”ag
fl issetineachmessagetoindicateto ( the
policy it relays, proxies, or redirects the message. end server) that such messages maybe duplicates.
Each forwarded (i.e., proxied7 or relayed) message If another “tw” seconds pass without receiving
is updated with a locally generated hop-by-hop the DWA on the suspended primary link, then
identifier. This field is used to match therequests
transport connection is closed. The connec-
and answers. Answers are routed opposite to tion may be retried periodically, but for reopened
how requests are routed and using the hop-by- connections, a connection validation procedure
hop identifiers the expected answersmust at each hop In this case, three watch-dog
be initiated.
are recognized. Using the hop-by-hop identifier messages must be answered before failing back to
and the saved sender’s information, the answer the original primary link (Aboba & Wood, 2003;
is forwarded back to the previous node with the Calhoun et al., 2003).
hop-by-hopidentifierrestoredtoitsoriginalvalue.
Thisprocessendsonceanodefindsitsidentity A Summaryin of Diameter’s Session
the origin-host. Management and Accounting
Architecture and Protocols for AAA
trigger re-authentication, it needs to maintain the A12 interface (3GPP2 A.S0008-B, 2006). The AN-
session state. This implies that session management AAA returns the subscriber’s International Mobile
is application specific. For example, a Diameter Subscriber Identity (IMSI) in the Callback-ID AVP
accounting server maybe configured to to thekeep
RNC in the RADIUS access-accept mes-
track of accounting messages such that it is able sage. Note that since the 1xEV-DO standard does
to eliminate duplicates and fraudulent messages not support Diameter yet, operators may utilize
(e.g., a unique Accounting-Start message should Diameter TAs to convert between RADIUS and
not arrive before an Accounting Stop message Diameter queries. The TA maybe collocated with
for an opened session). In cases where the server the AN-AAA as shown in Figure 1. Note that RNCs
is stateful, a Diameter client must always send a maybeconfiguredtofailovertoanotherAN-AAA
session-termination-request (STR) to the server for redundancy. Here, the reader should be aware
so that the server frees its allocated resources for that such failover is RADIUS based and is not based
the session. on the Diameter failover mechanisms.
RFC3588 (Calhoun et al., 2003) and RFC4005
(Calhoun, Zorn, et al., 2005) outline the accounting At the distribution layer:
process. Similar to RADIUS, Diameter accounting diameter MobileIPv4
requests (ACR) are sent and answers (ACA) are
received from servers. A new accounting type, The PDSN is considered the first IP gateway in
Event record, has been introduced to be used for 1xEV-DO networks. In MobileIPv4 architectures,
short connections where accounting Start and Stop MNs are expected to move from one PDSN region
records may arrive during very short time periods into another resulting in MobileIP handovers (HO).
(e.g., for push-to-talk services). Accounting Event The HA represents the home network to which the
records are also used to indicate accounting prob- MN’s IP address (Home Address) belongs. Here,
lems. For long connections (e.g., VoIP conferenc- we assume that the PDSN/FA and the HA natively
ing and file downloads), Start, Interim, and Stop
support the Diameter MobileIPv4 application (i.e.,
records are used. It is noteworthy to state that in no translation is involved). When the MN moves
case of reauthorization, an accounting Interim may into a foreign network, it attaches through a FA that
be sent to summarize the pervious state. In case tunnelsitstrafficbacktoitshomeagentenablin
connection details are modified considerably, to maintain itsanIP address while moving (Perkins,
accounting Stop followed by an accounting Start 2002; Perkins & Calhoun, 2005).
message are sent. The later is case is widely used In 1xEV-DO architectures, the PDSN normally
in practice. plays the FA role (as well as the NAS role for
Diameter)andtunnelstheMN’straffictoitsHA.
The MN establishes a PPP tunnel to the PDSN
dIAMEtEr-bAsEd ArcHItEcturEs and broadcasts a registration request (RRQ).
Upon receiving the RRQ, the PDSN forwards it
As we have seen in the introduction section, there towards the AAA for authentication in a Diameter
are three network tiers: access, distribution, and AA-mobile-node-request (AMR) which includes:
core (see Figure 1). In this section, we analyze a Session-ID, MN Home Address, Home Agent
selected Diameter application in each tier. identity, and MN NAI (Calhoun, Johansson, et
al., 2005). Note that such authentication is needed
At the Access layer: 1xEv-do with a as the RAN may be operated by a different entity
translation agent from the Internet Service Provider (ISP) who owns
the PDSN, HA, and so forth. Thus, upon receiving
Figure 1 shows a simplified xEV- 1 DO network the Diameter AA-mobile-node-answer (AMA)
where radio network controllers (RNCs) authen- from the AAA server, the PDSN/FA establishes
ticate the mobile call through the RADIUS based a MobileIP tunnel with the HA to serve the MN’s
Architecture and Protocols for AAA
traffic and starts sending accounting HArequests to session key and reformats
extracts the MN-HA
the AAA server. the nonces generated by the HAAA according to
We know when a mobile node roams into a for- the MobileIP standard and encapsulates them in
eign network, the foreign network’s AAA usually the home-agent-MIP-answer (HAA) (Steps 5, 6).
acts as a proxy and forwards the Diameter requests The HAAA then creates an AMA which includes
pertaining to the roaming mobile node to its home the MN-FA session key as well as the reformatted
AAA (HAAA) server. Foreign mobile nodes are nonces from the HAA and forwards it towards the
simply recognized by the domains in their NAIs. PDSN. The PDSN eventually extracts the session
In these cases, the mobile node needs to establish key and sends a registration reply towards the MN
security associations with HA and/or FA. The (Steps 7-9). The mobile node derives the session
HAAA is an attractive element to assist a key keys using the provided nonces and the MN-AAA
distribution mechanism. The Diameter MobileIPv4 shared key. Afterwards, the PDSN generates ac-
application focuses on the role of the AAA as the counting requests ACRs) ( reflecting the user’s
key distribution element. As shown in Figure 8, activity (Steps 10-13). The HAAA may be further
the MN-AAA shared secret8 is used to generate used to maintain session information such that the
the MN-HA and MN-FA secrets. The FA adver- same session-ID is used after handovers (Calhoun,
tises itself and includes a random challenge and Johansson, et al., 2005).
the mobile node replies to the challenge using its
MN-AAA shared secret and formulates a registra- At the core: IP Multimedia
tion request (Steps 1, 2). The registration request subsystem (IMs) Interfaces
triggers an AMR at the PDSN to be eventually
forwarded to the HAAA (Steps 3, 4). The HAAA In the last few years, convergent networking
validates the request and derives the session keys architectures were widely discussed. The IMS
based on a combination of nonces and the MN- was proposed as a radio access agnostic core
AAA shared secret, then forwards the keys in a infrastructure that allows heterogeneous radio
home-agent-MIP-request (HAR) to the HA. The networks (e.g., WiMAX, 1xEV-DO, UMTS, WiFi)
registration
2
Mobile request & Mn-AAA Pdsn Mobile IP Home
node registration tunnel Agent
fA
reply (HA)
Including:
Mn-fA nonce 9
Mn-HA nonce
AMr
10 session- HAr
Id=1234
8 13 fA challenge
Mn-HA-key
6
Mn Answer
Acr
HAA
AcA
AMA 3 5 MIP-reg-reply
4 AMr
Home diameter
visited network 11 Acr
AAA with
diameter AAA AcA 12
AMA
MobileIPv4
Mn-fA key
7
MIP-reg-reply
Architecture and Protocols for AAA
to communicate. As such, IMS offers unified processing and may perform various functions in
services and enables seamless connectivity to the security, compression, and policy enforcement
application servers (AS). In this section, we outline over the SIP messages. The Interrogating CSCF
the role of Diameter in an IMS-based network. In (I-CSCF) is used to facilitate the communication
IMS-based architectures users are granted a private among different operators. Operators have the
identifiernai@operatorA.com)
like( and multiple I-CSCF addresses listed in their DNS servers to
publicidentifiers e.
( g.,
john.smith@corporate.com, allow their I-CSCF to communicate with their
smith_family@home.com), offering users the peer I-CSCF in the other operator’s networks. The
capability of sharing business and personal con- I-CSCF normally proxies all SIP messages to the
tactinformation,forinstance.Theusers’ profiles
user’s Serving CSCF (S-CSCF). The S-CSCF is
are stored in the Home Subscriber Server (HSS). the element that inspects all user’s requests and
Note that the HSS here plays an authentication confirmsthattheyabidebyaccessrightsspecified
and authorization role (AA) and this immediately for that user. It also acts as a SIP router where it
implies the use of Diameter interfaces. determines whether the SIP message needs to be
Let us assume that user 1 roams into provider sent to one or more ASs before granting service
Y’s network and wishes to access a game service Camarillo
( & García-Martín, .)024 Note that
locatedinhis/herhomenetwork.Forthat, user
CSCFs first
1
communicate over the SIP-based Mw in-
needs to register with the home network through terface and that only I-CSCFs and S-CSCFs com-
operator Y’s infrastructure. As shown in Figure 9, municate with the HSS over the Cx interface (see
the first point of entry to the IMS network Table 1is
forthe
the Cx Diameter commands). The Cx
so-called Proxy Call Session Control Function (P- interface enables the S-CSCF to download users’
CSCF). The P-CSCF is responsible for SIP message profilesfromtheHSS.
Figure9.DiameterroleinIMSnetworkenvironments
Hss1 11/sh Af
Hssn rf
12/Isc
rf
ccf
note that neither the slf 16/cx
nor the dx interface are s-cscf
clearly mentioned in the dx
3gPP2 IMs standards slf*
rf
Mw
dx
I-cscf
Mw
Acronyms
HA P-cscf IMs: IP Multimedia Subsystem
Af: Application Function
slf: Subscription Locator Function
ccf: Charging Collection Function
Hss: Home Subscriber Server
visited network (operator y) HA: Home Agent
P-cscf: Proxy-Call/Session Control Function
I-cscf: Interrogating-Call/Session Control Function
s-cscf: Serving-Call/Session Control Function
0
Architecture and Protocols for AAA
The Dx interface, shown in Figure 9, is essen- In Figure 10, we utilize a subset of the Cx inter-
tially the same as the Cx interface. When an I-CSCF face commands to illustrate the IMS registration
wishes to locate the appropriate HSS that holds the process for a roaming user. Once IP connectivity
user’sprofilein ( ordertocontacttheis right S-CSCFthrough the MobileIP procedures,
established
for the user’s request), it communicates with the the MN commonly referred to as the user agent
subscription location function (SLF). The SLF is (UA) in IMS initiates a registration request towards
simply a Diameter redirect agent, which refers the the P-CSCF. The P-CSCF recognizes that the user
I-CSCF to the right HSS. Although this interface belongs to operator X, performs a DNS lookup for
is not clearly mentioned in (3GPP2 X.S0013-000- Operator X’s I-CSCF, and forwards the request
A, 2005), it can be simply viewed as a Diameter to the I-CSCF (Steps 1, 2). When the correspond-
redirect for a Cx request. ing I-CSCF receives the registration request, it
The Sh interface between the HSS and the AS contacts the HSS over Diameter using the UAR
serversfacilitatesretrievingthecommand. application specific
Since, the REGISTER request usually
user’sdata,updatingit,andreceivingcarries notifications
both the user’s public and private identi-
when it is changed on the HSS. S-CSCF and AF ties, the HSS validates that a roaming agreement
may generate accounting records and in this case exists with Operator Y and that the requestor is
such accounting records are sent over the Diameter- a valid user and returns a UAA to the I-CSCF
based Rf interface towards the charging collection (Steps 3, 4). The I-CSCF uses the information in
function (CCF). The CCF may reformat the billing the UAA to locate an S-CSCF and forwards the
records in the charging data record (CDR) format for registration request to it (Step 5). Upon receiving
further processing in the upstream billing system. the request, the S-CSCF issues a MAR towards the
It is noteworthy to mention that 3GPP2 X.S0013- HSS to obtain appropriate authentication vectors
000-A (2005) includes a 3GPP2 assigned interface to authenticate the user. The S-CSCF formats the
name or number of each interface, for example, response into a SIP response (401 Unauthorized)
16/Cx, along with the original IMS interface names. that carries a challenge (Steps 6, 7). Once the
However, the use of interface numbering seems to UA receives the response including a challenge
be inconsistent in 3GPP2 standards as in most of (Step 10), it immediately responds with another
the cases original names are only used (e.g., Cx registration message carrying a response for the
not 16/Cx).
Architecture and Protocols for AAA
3 uAr
uAA 4
rEgIstEr 5
MAr 6
7 MAA
401 unAutHorIzEd / 8
challenge
401 unAutHorIzEd 9
401 unAutHorIzEd / challenge
/ challenge
10
11 rEgIstEr
/ response 12 rEgIstEr
/ response
13 uAr
uAA 14
15 rEgIstEr / response
sAr 16
17 sAA
200 ok 18
200 ok 19
200 ok 20
supplied challenge (Step 12). Note that the I-CSCF short IMS registration walkthrough as well as from
may perform another UAR to obtain the assigned the previous sections, Diameter is envisioned to be
S-CSCF (Steps 13, 14) either because it is stateless one of the fundamental protocols used in the future
or it is another I-CSCF selected due to DNS load 3G/4G telecommunication infrastructures.
balancing. When S-CSCF receives the second
registration request, it validates the user’s response
(Step 15) and if successful, it issues SAR to HSS IssuEs And futurE trEnds
requesting its assignment for the user’s session and
requestingtheuser’sprofile.TheHSSassigns the
Many standardization and research efforts are un-
S-CSCF for the user’s session and sends the user’s derway to upgrade and enhance the current AAA
profile back to itstep ( .7)At
,61 this pointstep
( architectures to exploit the security and the scal-
18), the S-CSCF issues a SIP 200 OK message to abilitybenefitsofDiameterintheareasofsessio
the UA and once received (Step 20), the registra- management, mobility support, distributed online
tion process is complete. andoff-lineaccounting,andQoSassuranceforuser
For registered users, when the I-CSCF receives services over heterogeneous wireless networks.
a SIP INVITE request, it queries the HSS for the For instance, Eyermann, Racz, Stiller, Schaefer,
assigned S-CSCF using the LIR command. If the and Walter (2006) discuss possible enhancements
user’s profile is updated, the HSS informs the consistent accounting reporting in
to maintain
serving S-CSCF of this change by sending a PPR. heterogeneous multi-operator environments by
The HSS may terminate the user’s session by issu- introducing a new Diameter accounting applica-
ing a RTR message towards the S-CSCF (3GPP2 tion including new commands and AVPs to allow
X.S0013-005-A, 2005). As we can see from this sharing session context information. Moreover,
Architecture and Protocols for AAA
efforts to attain seamless translation between choice for the IMS architecture, but it also plays
RADIUS and Diameter are ongoing especially an increasingly important role in the three major
in the areas of matching requirements between network tiers, that is, access, distribution, and
RADIUS and Diameter and in the translation of core. We demonstrated the role of Diameter in
VSAs (Mitton, 2006). eachtierbymeansofsamplecallows fl inpractical
As the future telecommunication networks are 1xEV-DO network architectures. We concluded
expected to be based on IPv6, Diameter implemen- the chapter with a short summary of the current
tations over IPv6 were tested and some issues were and future trends related to the Diameter-based
identified(Lopez,Perez,Skarmeta,& The
. )05 2 AAA systems.
tests were conducted based on the Open Diameter10
implementation. Integrating Diameter with Mo-
bileIPv6 is also an active area in both IETF and rEfErEncEs
research. For example 3GPP2 X.P0047-0 (2006)
discusses possible enhancements for MobileIPv6 3rd Generation Partnership Project 2 (3GPP2)
to exploit the security features of the Diameter X.S0013-000-A. (2005). All-IP core network multi-
applications for MobileIPv6 tunnel setup. It also mediadomain—Overview(Ver. )1
(3GPP2: TSG X
proposes enhancing MobileIPv6 by using Diameter Series). Retrieved from http://www.3gpp2.com/Pub-
for dynamic selection of home agents.11 lic_html/specs/X.S0013-000-A_v1.0_051103.pdf
Finally, continuous efforts are being made to
establish a standardized framework for end-to-end 3rd Generation Partnership Project 2 (3GPP2)
QoSforservicesstartingfromthecalling X.S0013-005-A.
userat (2005). All-IP core network
the RAN and ending at the called party whether multimedia domain—IP multimedia subsystem
it is located on the Internet or on another cellular Cx interface signaling flows and message - con
network. 3GPP2 addresses such architectures in tents (Ver.(3GPP2:
)1 TSG X Series). Retrieved
the service based bearer control draft document from http://www.3gpp2.com/Public_html/specs/
(3GPP2 X.S0013-012-0, 2006). It is noteworthy X.S0013-005-A_v1.0_051103.pdf
to mention that Diameter is quickly being consid- 3rd Generation Partnership Project 2 (3GPP2)
ered to support many services. For instance Kim A.S0008-B v1.0. (2006). Interoperability - specifica
and Afifi) 302discuss
( the integration of GSMtion (IOS) for high rate packet data (HRPD) radio
SIM-based authentication with the AAA over access network interfaces with session control in
Diameter-EAP application. Moreover, 3GPP2 has the access network (3GPP2: TSG A Series). Re-
adopted Diameter architectures to support simple trieved from http://www.3gpp2.org/Public_html/
and multimedia messaging services (SMS and specs/A.S0008-B_v1.0_061019.pdf
MMS) in (3GPP2 X.S0016-101-0, 2006).
3rd Generation Partnership Project 2 (3GPP2).
X.P0047-0 v1.0. (2006). MobileIPv6enhancement.
suMMAry (3GPP2:Draft). Retrieved from http://www.3gpp2.
org/Public_html/Misc/X.P0047-0v0.5_VV_Due_
In this chapter we presented and discussed archi- 08_January-2007.pdf
tecture and protocols for AAA as one of the most 3rd Generation Partnership Project 2 (3GPP2)
important design considerations in 3G/4G telecom- X.S0011-005-C. (2006). cdma2000 wireless IP
munication networks. While many advances have networkstandard;AccountingservicesandGPP2 3
been made to exploit the benefits of the current
RADIUSVSAs (3GPP2: TSG X Series). Retrieved
systems based on the RADIUS protocol, we il- from http://www.3gpp2.org/public_html/specs/
lustrated its inherent security vulnerabilities. We X.S0011-005-C_v3.0_061030.pdf
then surveyed the details of the Diameter proto-
col and some of its applications. We showed that 3rd Generation Partnership Project 2 (3GPP2)
the Diameter protocol is not only the protocol of X.S0013-012-0. (2006). All-IP core network
Architecture and Protocols for AAA
multimedia domain—Service based bearer con- Camarillo, G., & García-Martín, M..)024( The
trol—Stage 2 (3GPP2:Draft). Retrieved from http:// 3G IP multimedia subsystem (IMS): Merging the
www.3gpp2.org/Public_html/Misc/X.P0013- Internet and the cellular worlds. John Wiley &
012_SBBC_Stage-2_VV_Due_11_Sept-2006.pdf Sons.
3rd Generation Partnership Project 2 (3GPP2) Eronen, P., Hiller, T., & Zorn, G. (2005). Diameter
X.S0016-101-0. (2006). Multimedia messaging ser- extensible authentication protocol (EAP) applica-
vice;MM1interface
0 basedondiameterprotocol tion (RFC 4072). Retrieved from http://www.ietf.
(3GPP2:Draft). Retrieved from http://www.3gpp2. org/rfc/rfc4072.txt
org/Public_html/SC/X.S0016-101-0_v1.0_060124.
Eyermann, F., Racz, P., Stiller, B., Schaefer, C.,
pdf
& Walter, T. (2006). Diameter-based accounting
Aboba, B. (2005). Re: End-to-end security in management for wireless services. In IEEE Wire-
RFC8.5 3 IETF Mail Archive, Message#01185. less Communications and Networking Conference
Retrieved from http://www1.ietf.org/mail-archive/ (WCNC’0)6 (Vol. 4, pp. 2305-2311).
web/aaa/current/msg01185.html
Fajardo, V., & Ohba, Y. (2006). Diameter base
Aboba, B., & Vollbrecht, J. (1999). Proxy chain- protocol details. In Theth 76 IETF meeting. San
ing and policy implementation in roaming (RFC Diego, CA. Retrieved from http://www3.ietf.org/
2607). Retrieved from http://www.ietf.org/rfc/ proceedings/06nov/slides/dime-3/dime-3.ppt
rfc2607.txt
Garcia-Martin, M., Ed., Belinchon, M., Pallares-
Aboba, B., & Wood, J. (2003). Authentication, Lopez, M., Canales-Valenzuela, C., & Tammi,
authorization and accounting (AAA) transport K. (2006). Diameter session initiation protocol
profile (RFC 3539). Retrieved from http://www. (SIP) application (RFC:4740). Retrieved from
ietf.org/rfc/rfc3539.txt http://www.ietf.org/rfc/rfc4740.txt
Braunöder, M. (2003). Plug and phone software. Hakala, H., Mattila, L., Koskinen, J.-P., Stura, M.,
Retrieved from http://samuel.labs.nic.at/at43/dic- & Loughney, J. (2005). Diameter credit-control ap-
tionary plication (RFC 4006). Retrieved from http://www.
ietf.org/rfc/rfc4006.txt
Calhoun, P., Bulley, W., & Farrell, S. (2002).
Diameter CMS security application. IETF: Kent, S., & Seo, K. (2005). Security architecture
DRAFT. Retrieved from http://www3.ietf.org/ for the Internet protocol (RFC 4301). Retrieved
proceedings/02mar/I-D/draft-ietf-aaa-diameter- from http://www.ietf.org/rfc/rfc4301.txt
cms-sec-04.txt
Kim, H., & Afifi, H..) 302 (Improving mobile
Calhoun, P., Johansson, T., Perkins, C., Hiller, T., authentication with new AAA protocols. In IEEE
& McCann, P. (2005). Diameter mobile IPv4 ap- International Conference on Communications
plication (RFC 4004). Retrieved from http://www. (ICC ’03) (Vol. 1, pp. 497-501).
ietf.org/rfc/rfc4004.txt
Lopez, M., Perez, G., & Skarmeta, A. (2005). Im-
Calhoun, P., Loughney, J., Guttman, E., Zorn, plementing RADIUS and diameter AAA systems
G., & Arkko, J. (2003). Diameter base protocol in IPv6-based scenarios. In IEEE Proceedings of
(RFC 3588). Retrieved from http://www.ietf.org/ theth 91 International Conference on Advanced
rfc/rfc3588.txt Networking and Applications(Vol. AINA’0
( )5
2,
pp. 851-855).
Calhoun, P., Zorn, G., Spence, D., & Mitton, D.
(2005). Diameter network access server applica- Mitton, D. (2006). Diameter/RADIUS vendor
tion (RFC 4005). Retrieved from http://www.ietf. specificAVPtranslation. IETF:DRAFT. Retrieved
org/rfc/rfc4005.txt from http://internet-drafts.osmirror.nl/draft-mit-
ton-diameter-radius-vsas-01.txt
Architecture and Protocols for AAA
Perkins, C. (2002). IP mobility support for IPv4 Remote Access Dial In User Service (RA-
(RFC 3344). Retrieved from http://www.ietf.org/ DIUS): RADIUS is an AAA protocol defined in
rfc/rfc3344.txt RFCs 2865 and 2866.
Perkins, C., & Calhoun, P. (2005). Authentication,
authorization, and accounting (AAA) registration
keys for mobile IP (RFC 3957). Retrieved from EndnotEs
http://www.ietf.org/rfc/rfc4301.txt 1
MMD is defined in all-IP core network
Rigney, C. (1998). 2.4.10 Remote authentication dial- standards (TSG X series) found at http://
in user service (radius). Snapshot of the 41st IETF www.3gpp2.org/.
meeting. In Proceedings of the IETFMarch.89 1 2
Notice that the authentication and the au-
Retrieved from http://www3.ietf.org/proceedings/ thorization operations are not separated in
98mar/98mar-edited-79.htm RADIUS. In other words, to obtain a user’s
authorization set, user must be successfully
Rigney, C. (2000). RADIUS accounting (RFC 2866).
authenticated.
Retrieved from http://www.ietf.org/rfc/rfc2865.txt 3
UDP ports 1812 and 1813 are the standard ports
Rigney, C., Willats, W., & Calhoun, P. (2000). assigned for authentication and accounting
RADIUS extensions (RFC 2869). Retrieved from respectively.
http://www.ietf.org/rfc/rfc2869.txt 4
Inter-domainAAAtrafficcrossinguntrusted
networks such as in roaming scenarios is usu-
Rigney, C., Willens, S., Rubens, A., & Simpson, W.
ally secured by dedicated VPNs.
(2000). Remote authentication dial in user service 5
According to (Aboba, 2005, message 01185)
(RADIUS) (RFC 2865). Retrieved from http://www.
end-to-end security through Diameter CMS
ietf.org/rfc/rfc2865.txt
(Calhoun, 2002) mentioned in the standard
Rosenberg, J., Schulzrinne, H., Camarillo, G., John- (Calhoun, 2003, RFC 3588) has been aban-
ston, A., Peterson, J., Sparks, R., et al. (2002). SIP: doned and resolved by the introduction of the
Session initiation protocol (RFC 3261). Retrieved DiameterEAPapplicationdefinedin(Eronen,
from http://www.ietf.org/rfc/rfc3261.txt 2005, RFC4702).
6
If a loop exists, the message is rejected with
Wikipedia. (n.d.). RADIUS. Retrieved from http:// a DIAMETER_LOOP_DETECTED error
en.wikipedia.org/wiki/RADIUS message
7
More complex procedures may apply in case
kEy tErMs of translation.
8
Loosely speaking the user’s password
9
Diameter: Diameter is a new AAA protocol These commands are based on the Diameter
presented in RFC 3588 to replace RADIUS. CxApplicationApplication-
( ID, )6 1 2 7=6 1
more details can be found in (3GPP2 X.S0013-
IP Multimedia Subsystem (IMS): IP multi- 005-A, 2005; 3GPP2 X.S0013-006-A,
media subsystem is an access agnostic architecture 2005).
proposed as a core technology for the next genera- 10
The Open Diameter project, located at [http://
tion services. www.opendiameter.org/], offers open source
C++ implementation of the Diameter base
One Carrier Evolution Data Only (1xEV-
protocol.
DO): 1xEV-DO is a CDMA2000 based cellular 11
Dynamic Home Agent (DHA) selection is
access technology proposed to support high rate
a method used to dynamically select home
data services.
agent based on the geographic location of the
user such that the network backhaul delay is
minimized.
Chapter XIII
Authentication, Authorisation,
and Access Control in
Mobile Systems
Josef Noll
University Graduate Center – UniK, Norway
György Kálmán
University Graduate Center – UniK, Norway
AbstrAct
Converging networks and mobility raise new challenges towards the existing authentication, authorisa-
tion, and accounting (AAA) systems. Focus of the research is towards integrated solutions for seamless
service access of mobile users. Interworking issues between mobile and wireless networks are the basis
for detailed research on handover delay, multi-device roaming, mobile networks, security, ease-of-use,
and anonymity of the user. This chapter provides an overview over the state of the art in authentication
for mobile systems and suggests extending AAA mechanisms to home and community networks, taking
into account security and privacy of the users.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Authentication, Authorisation, and Access Control in Mobile Systems
players demonstrate early examples, research in family. Development efforts of the Internet and
the AAA area focuses on providing a backplane telecommunication world were united on EAP.
for the upcoming ubiquitous services run over This protocol family has the potential for becoming
converged networks. the future common platform for user authentica-
tion over converged networks. EAP is a universal
authentication framework standardised by IETF,
bAckground which includes the authentication and key agree-
ment (AKA) and Subscriber Identity Module (SIM)
The AAA methods employed in current networks methods. EAP-AKA is the standard authentication
were developed for a single type of network, result- method of UMTS networks.
ing in two different systems, one for telecommu- Beside the fundamental differences of com-
nication services and one for computer networks. munication and computer networks, mobility is
This chapter addresses AAA in global system for the key issue for both. Network services should
mobil communications (GSM) and UMTS and not only be accessible from mobile terminals, but
computer network solutions based on Internet they should be adapted to the quality of service
Engineering Task Force (IETF) standards. QoS)
( requirementsofamobile/wireless - link.Im
Thecomputernetworksprovideaunified AAA of AAA methods are of fundamental
provements
access, and research focuses on extending the exist- importance for mobility, providing fast handover,
ing methods to be suitable for telecommunication reliable and secure communications on a user-
services. Extensions for Remote Authentication friendly and privacy protecting basis.
Dial In User Service (RADIUS) and Diameter are
proposed. RADIUS is the current de facto standard subscriber Authentication in current
for remote user authentication. It uses Universal networks
Datagram Protocol (UDP) as transport. Authen-
tication requests are protected by a shared secret In GSM networks, the integrated AAA is used for
between the server and the client, and the client anytypeofusertraffic.Theauthenticationisjust
uses hash values calculated from this secret. The one way the user has to authenticate himself/herself
requests are sent in plaintext except for the user towards the network.
password attribute. The Diameter protocol provides To be more precise, the user is authenticated
an upgrade possibility as compared to RADIUS. with a PIN code towards the SIM in the mobile
While enhancing the security through supervised phone, then the device authenticates itself towards
packet transmission using the transmission control the network. Device authentication instead of user
protocol (TCP) and transport layer encryption authentication can hinder the upcoming person-
for reducing man-in-the-middle attacks, it lacks alised services because it is hiding the user behind
backward compatibility. the device. In UMTS, the authentication of the
Both methods have a different background. device is two-way. A device can also check the
The computer networks targeted the person using authenticity of the network with the help of keys
acomputerinafixednetworkenvironment, stored while
on the SIM.
mobile systems addressed a personal device in a Integration of the mobile authentication with
mobile network. Thus a challenge for telcos is to different external services is not widespread. The
enhance seamless network authentication towards telecom providers have some internal services,
user authentication for service access. Most com- which can authenticate the subscriber based on
panies are also Internet service providers (ISPs), the data coming from the network. Credentials
thiswouldbeanaturalunificationofcould their AAA
be basically the CallerID, the Temporary
systems. International Mobile Subscriber Identity (TIMSI)
A generic approach is taken by extension of or other data transformed with a hash function. Ac-
the Extensible Authentication Protocol (EAP) cess control and authorisation is more an internal
Authentication, Authorisation, and Access Control in Mobile Systems
Cellular WLAN
Coverage Country-wide Local
Security Strong Depends on setup
Transmission rate Low High
Deployment cost High Low
License fee Very high No need
Construction Difficult Easy
Mobility support High Poor
Authentication, Authorisation, and Access Control in Mobile Systems
the EAP family, especially transport layer security The use of the IEEE 802.1x standard allows
(TLS) and SIM. seamless authentication, since-preshared cer
Most cellular operators are now providing cates and key negotiation are provided to the cellular
WLAN services using the Universal Access Meth- network, where the user is already authenticated.
od (UAM) for authentication. UAM uses a layer With the use of digital certificates, the system i
3 authentication method, typically a Web browser getting closer to the preferred view of pervasive
to identify the client for access to the WLAN. systems, where the user and the service provid-
This raises the problem of mutual authentication, ers are mutually identified. Since these systems
which has been a problem also in GSM networks. authenticate the user towards several services,
By extending to EAP-SIM it would be possible to privacy is a primary concern. A possible solu-
enable SIM-based authentication in these environ- tion, recommended by Ren, Lou, Kim, and Deng
ments for SIM-enabled devices. (2006) has a secure authentication scheme while
Roaming between access providers is a sec- preserving user privacy.
ond issue. Since data between access points are In pervasive environments a user connected will
carried over an IP backbone, it is natural to use a experience seamless authentication to all services
network-based protocol such as Radius, suggested when connected through a SSO service. Malicious
by Leu et al. (2006). Transport encryption inside tracking of his/her behaviour or eavesdropping of
the backbone is indifferent from normal wired authentication messages can compromise the user
practice, hence out of scope for this chapter. In credentials. The SSO service has to be extremely
a converged network, where users can switch prudent when sending user-related information.
between mobile networks and WLAN services, Keeping a reasonable level of privacy, the system
a common AAA system has to be operational to should deal with questions in location privacy,
ensurecorrectoperation.Aunifiedbilling scheme anonymity, and confidentiality (Ren
connection
is proposed by Janevski et al. (2006), suggesting to et al., 2006). The recommendations are based on
use 802.1x on the WLAN side as shown on Figure blind signatures and hash chains. Using hash is
2. The mobile networks WLAN connection is sug- highly recommended, since a good hash function
gested through the RADIUS server used also for can provide good foundation for anonymous access
access control in 802.1x. and its resource needs are not too high for the cur-
rent mobile devices, as sometimes blind signatures
Authentication, Authorisation, and Access Control in Mobile Systems
based on Rivest-Shamir-Adleman (RSA) scheme environment. Khara, Mistra, and Saha (2006) sug-
may be. In certain environments, the GSM inte- gest including a new node, called Serving GPRS
grated functions may also be used. Access Router. This entity acts as a gateway for
The user retains full control over authentica- theWLANtraffictoenterthegeneral - packetra
tion credentials when composing and generating dio services (GPRS) backbone and enable GPRS
authentication tokens like the identities suggested signalling to control WLAN. The new protocol set
by Chowdhury and Noll (2007). Initial service ac- eliminates the need of Signalling System 7 (SS7)
cess can be achieved showing one of these tokens in addition to the IP backbone. Khara et al. claim
aftermutualidentificationbetweenthat the service
this solution isand
superior in terms of speed and
the user. Based on these tokens, no user data can overhead compared to the RADIUS-based methods
be retrieved nor traced back. If all of the initial suggested previously. The main drawback is the
identification steps succeed, the exchange of the
need of special dual mode devices with a split IP
required credentials can proceed using a freshly layer, a solution which might not be practical hav-
negotiated session key. ing in mind the basis of 2.5 billion mobile phones
The base of most authentication techniques is available in the market.
a preshared key, delivered to the user device out- For mobile devices limited computational
of-band. Authentication can be done for example resources and battery power require an effective
in mobile phones by inserting a master private key AAA mechanism. Extension of the GPRS/UMTS
ontheSIMattheactivationofthecard (Kálmán
network could be potentially more expensive than
& Noll, 2006). deploying RADIUS authentication. Handover de-
A different approach is to extend the current lay caused by terminal mobility is an issue which
mobile network with additional elements to en- might favour GPRS/UMTS protocols.
able network integrated AAA also in an Internet
0
Authentication, Authorisation, and Access Control in Mobile Systems
Authentication, Authorisation, and Access Control in Mobile Systems
revised in order to achieve reasonably fast mobil- was enabled by embedding the BU message into
ity support. The basic challenge is that currently the AAA request message and so optimising the
AAA and MIPv6 are operated independently. This route while authenticating. This solution can solve
means that the terminal has to negotiate with two MIPv6’s basic problem of supporting different
different entities in order to get access to the new administrative domains and enable scalable large
network. scale deployment.
In MobileIPv6, the terminal is allowed to keep Lee,Huh,Kim,andLeedefine 0 2 6) ( anovel
connections to a home agent (HA) and a cor- communication approach to enable communica-
respondent node (CN), even when the terminal tion between the visited AAA servers for a faster
changes point of attachment to that network. The andmoreefficientauthenticationmechanism.Ifa
terminal has two addresses, the home address terminal visits a remote network, the AAA must
(HoA) and the care-of address (CoA). The HoA be done by the remote system. IETF recommends
is fixed, but the CoA is generated by theintegrating visited Diameter-based authentication into
network. The mobile IP protocol binds these two the MIPv6 system. But, when the user is using
addresses together. To ensure an optimal rout- services on the remote network, the remote AAA
ing in the network, the terminals switch to route has to keep a connection with the home AAA.
optimalisation mode after joining a new network. The proposed new approach of Lee, Huh, et al.
Then it executes a return routability procedure suggests enabling faster authentication when the
and a binding update (BU) to communicate to the terminal moves between subnets inside a domain
correspondent node directly. The return routabil- by exchanging authentication data between visited
ity procedure consists of several messages, which AAA servers without the need of renegotiation
together induce a long delay. with the HA. Connection to the HA is needed
The handover between networks implies even only after the authentication when the terminal
more steps and consumes more time: movement executes a BU.
detection,addressconfiguration,homeBU, return
One other aspect is shown by Li, Ye, and Tian
routability procedure, and a BU to the correspon- (2006) suggesting a topology-aware AAA overlay
dent node. The terminal cannot communicate with network. This additional network could help MIPv6
the CN before the end of the procedure. to make more effective decisions and to prepare for
Fast handover capability is a major research handoversandotherchangesinnetwork - configura
item in IETF for MIPv6, including the standards tion. Based on the AAA servers and connections
FMIPv6 and HMIPv6. In addition to these schemes, between, a logical AAA backbone can be created,
Ryu and Mun (2006) introduce an optimisation in which can serve as administration backbone for the
order to lower the amount of signalling required and whole network. Signals delivered over this network
thus lower the handover delay between domains. are topologically aware, so the optimal route can
In an IPv6 system, the IP mobility and AAA are easily be selected and signalling messages can be
handled by different entities. This architecture transmitted over the best route. In exchange to
implies unnecessary delays. Several solutions are the build cost of this backbone network and some
proposed to enable the mobile terminal to build additional bandwidth consumed, MIPv6’s security
a security association between the mobile node and performance can be enhanced.
and the HA. This enables home BU during the As the route of the service access is secured,
AAA procedure. Route optimisation is a key topic optimised and delay reduced, one basic problem
in efficient mobility service provision. MIPv6
still remains: how to ensure that the user is the
optimises the route with the use of the return one, the network thinks he/she is. Lee, Park, and
routability procedure. In wireless environments, Jun (2006) suggest using smart cards to support
the generated signalling messages represent a con- interdomain roaming. The use of the SIM might
siderable part of the whole overhead. Moving route be preferable because of its widespread use and
optimisation into the AAA procedure can reduce cryptographiccapabilities(KálmánNoll, & .026)
the delay by nearly 50% (Ryu & Mun, 2006). This The problem of having multiple devices is also
Authentication, Authorisation, and Access Control in Mobile Systems
raised here, since a system based on the SIM as manent subscriber identity and location data, which
smart card will require SIM readers in every de- will only be discoverable by the home register.
vice—if a secure key exchange method between The main drawback of the suggested protocol is
the devices is not in place. its higher computing requirements as compared to
Lee, Park, et al. (2006) suggest an entity called EAP-AKA, potentially limiting the applicability.
roaming coordinator ensuring seamless roaming
services in the converged network. This additional security and computing Power
node provides context management services and
enables seamless movement between the third A security protocol in a wireless environment
generation (3G) network and WLAN to enforce should be fast and secure, and it has to be effec-
security in converged networks. In order to provide tive in terms of computing power and low data
good user experience in a pervasive environment, transfer need. In low power environments an
additional intelligence needs to be added to the authentication scheme with high security and
traditional AAA systems to ensure that the terminal low computing power is advised. One solution is
selects the most appropriate connection method. based on hash functions and smart cards, allow-
This method has to be based on the context and ingminimisednetworktrafficandshortmessage
has to be supported in all networks. A smart-card- rounds used for authentication. Anonymity can
based secure roaming management framework be ensured through one-time passwords. While
enables the transfer of the terminals context with- accepting the advantages of a system with smart
out renegotiating the whole security protocol set. cards, the use of extra hardware like a card reader
When the terminal moves into a new network, the is not advisable, due to compatibility issues and
roaming coordinator, AAA servers, and proxies power requirements.
take charge of the authentication process. The Software-based solutions have an advantage, as
coordinator, having received a roaming request, they only require computing power. Showing the
evaluates the available networks and chooses the importance of power consumption, a comparison
best available one, and then triggers the context of cryptographic protocols is presented by Lee,
transfer between the corresponding AAA servers. Hwang, and Liao (2006) and Potlapally, Ravi,
When transferring whole user contexts, the system Raghunathan, and Jha (2006) showing, that twice
has to consider privacy requirements of the user’s of the transmit energy of one bit is needed to run
identityandhis/ herprofile. asymmetric encryption on that piece of informa-
tion. Symmetric encryption needs, in contrast,
Anonymity and Identity around one half of the transmit energy. Most over-
head is generated by session initialisation, meaning
In pervasive environments, privacy is of key im- longer sessions induce lower overhead. There is
portance. With computers all around, gathering a trade-off between security and session length.
information about traffic, movements, service
While negotiation overhead is getting lower with
access, or physical environment, customer privacy long sessions, security risks are getting higher.
must be protected. Køien (in press) suggests a This overhead can be lowered by special hard-
protocol, which is able to provide better protection ware or software solutions. Hardware needs some
for the user’s privacy than the normal 3G network. power and bigger silicon, while software requires a
Changes in the EAP-AKA protocol are suggested faster CPU. Hash functions have an energy require-
to use only random generated user authentication ment of around half a percent compared to PKI in
values. He defines three user contexts implying
generating session keys (Potlapally et al., 2006).
different key management and authentication KeyexchangeprotocolsusingellipticcurveDiffie-
schemes, like existing keys for short-term and Hellman(DH)comeoutmuchmoreenergyefficient
fresh keys for medium-term access. Identity-based as compared to the same traditional strength DH.
encryption is recommended to enableThe a exible
fl DH calculations demonstrate the trade-off
binding of the security context to protect the per- between power consumption and security. In order
Authentication, Authorisation, and Access Control in Mobile Systems
tohaveanefficientoperation,thesecurity exampleprotocol
Kerberos or RADIUS. A special aspect
needs to have the possibility to adapt encryption to of resource access over the home LAN is that
the needs of the current application. Authentication specificprivilegesaregiventoselectedprograms
token generation can be problematic for devices The AAA server maintains an access control list
with limited computing capabilities. Personal area to ensure correct privilege distribution.
networks (PAN) with multiple devices raise this To build the initial trust relationships some
problem by their very nature. kind of user interaction is needed. The key should
initially be distributed out-of-band, for example
security in Personal Area and Home on an USB stick, or by using short range wireless
networks technology, Near Field Communication (NFC), for
example (Noll, Lopez Calvet, & Myksvoll, 2006).
Efficientauthenticationandcertificate management
On home networks, where power consumption is
ensures better usability of PAN devices. By using not a problem, PKI may be used for negotiating ses-
efficient security protocols, content- - adaptive en
sion keys between devices, since key management
cryption,efficientkeyandcertificatemanagement, in a PKI is simpler than in symmetric encryption
considerably longer battery operation is achievable. andthedelaycausedbycheckingcertificatesand
To enable key management in a PAN a personal so forth will not be noticeable in this environment.
certificateauthorityCA) ( entityissuggested Sur
(
Users authenticated towards the AAA infrastruc-
& Rhee, 2006; Sur, Yang, and Rhee, 2006), which ture can access the resources seamlessly. Initial
willberesponsibleforgeneratingcertificates authentication isfor done with PKI. In case of mobile
all mobile devices within the PAN or home device devices, also the home AAA can use previously
domain (Popescu, Crispo, Tanenbaum, & Kam- calculated hash values in chain to lower compu-
perman, 2004). Because of the context of use, the tational cost. These AAA infrastructures can be
authenticationprotocolisfocusedon efficiency
connected to abyproviders AAA, for example to
reducing computational overheads for generating use in digital rights management (DRM) or home
and verifying signatures. service access from a remote network (Popescu
Main focus is on reducing PKI operations, et al., 2004).
which have been proven to be energy consuming. A user moving with his/her devices to the
Instead, it proposes to use hash chains to lower com- home raises another AAA challenge, the mobile
munication and computational costs for checking nodes.
certificates.Formerresearchsuggestedhashtrees
in order to authenticate a large number of one-time Mobile nodes (network Mobility)
signatures. By extending these with fractal-based
traversal, it has been proven that these trees provide Movement of whole networks like PANs or net-
fast signature times with low signature sizes and works deployed on a vehicle, introduce a new
storage requirements. The personal CA has to be level of AAA issues. In a conventional network a
a unique trusted third party in the PAN. It needs standard mobility support does not describe route
to have a screen, a simple input device, and has to optimisation. Several procedures are suggested to
always be available for the members of the network. provide this functionality for mobile nodes, like
A cell phone with the SIM is a perfect candidate to Recursive Binding Update Plus (RBU+), where
beapersonalCA(Kálmán&Noll,.026) route optimisation is operated by MIPv6 instead
In home environments, basically two types of of the network mobility (NEMO) architecture. This
authentication are distinguished: (1) user authenti- means, that every node has to execute its own BU
cation, and (2) device authentication (Jeong, 2006). with the corresponding HAs. To solve problems
Mutual authentication has to be used in order to with pinball routing, it uses the binding cache in
prevent impersonation attacks (identity theft). This the CN. When a new BU message arrives, the
requires an SSO infrastructure, which can be for RBU+ has to execute a recursive search, which
Authentication, Authorisation, and Access Control in Mobile Systems
leads to serious delays with a growing cache size. After these technical issues of authentication
One potential route optimisation is presented by the next chapter will deal with authentication from
Jeong (2006). the user viewpoint.
A designated member of the network, called a
mobile router is elected to deal with mobility tasks customer Ergonomics
to reduce network overhead. The AAA protocol
for this environment defines a handover Therescheme
is always a trade-off between user security
andtree-basedaccountingtoenable - efficient
and ease of opti
use. If the system is prompting for a
misation. They recommend using dual BU (DBU) password for every transaction, it can assume with
procedure instead of the existing procedures like quite high probability, that the access is enabled
RBU+ as a solution for the reverse routing problem just for the correct user. But, that is unacceptable
raised by mobility. DBU operates with additional for most of the users in private environments,
information placed into the messages sent in a BU where convenience is more valued than security.
process. This is the CoA of the top level mobile In corporate networks, policies are just enforced
router (TLMR). By monitoring the messages, the and users have to accept it. It would however be
CNs in the subnet can keep optimal route towards problematic if the credentials were only asked once
the TLMR. at start-up or connecting to the network, since
Moving subnets are the subject of eavesdrop- mobile devices are threatened by theft, loss, and
ping and possible leakage of the stored secrets. A other dangers by their nature of use.
secure AAA is proposed for network mobility over Smart cards could be a solution to have a good
wireless links, which deals with these problems trade-off between the usability and security. Since
(Fathi et al., 2006). Secret leakage can be caused the user will have a token, which he/she has to care
by malicious eavesdroppers, viruses, or Trojans. A of, and exchange keys generated by it, at least it
possibility is to store the keys in tamper resistant could be secured that the user who is accessing a
modules, like smart cards, the SIM, or trusted specified service holds the authentication to
hardware modules. Deploying additional modules The mobile phone with the integrated smart card,
can be problematic and expensive. Fathi et al. pro- the SIM, is a potential tool for this purpose. As
pose a protocol based on a short secret, which can indicated by Leu et al. (2006) the requirement of
be remembered by humans and used in a secure carrying a SIM reader or equipping all the equip-
protocol called Leakage-resilient authenticated ment with SIM cards is neither convenient nor cost
key exchange protocol (LR-AKE). This protocol effective. The possibility of secure key exchange
is used for AAA to reduce NEMO latency under between user equipment shall be provided.
300 ms in order to provide session continuity, for The cell phone can act as a key negotiator,
example in VoIP applications, which is important with its tamper resistant cryptographic functions
in keeping a good user experience. However, short integrated into the SIM and then exchange the
passwords as proposed with LR-AKE are not advis- session keys with other terminals with the use of
able. If complex, they will be noted down by the a short range wireless solution. Currently, most of
user, and if weak, they are easy to guess. the security problems, besides the user behaviour,
As network mobility has considerable security are coming from security holes in the software.
issues, it may be not the way to go. Functionality Having the capability to download new software
of a mobile network might be achieved by using over the air to the phone ensures the use of recent
a dedicated device as a gateway of the PAN. Only updates and eliminates this type of security threat
this device will show up in the wireless network, (Kálmán & Noll, .026)Compared to a security
andalltrafficoriginatingandarriving toitthe
token, mayPAN
be better to use the phone, since the
will go through this device and its HA. SIM card can be locked by the provider, so if the
device gets lost, the authentication credentials can
be withdrawn within short time.
Authentication, Authorisation, and Access Control in Mobile Systems
Authentication, Authorisation, and Access Control in Mobile Systems
Fathi, H., Shin, S., Kobara, K., Chakraborty, S. Lee, S.-Y., Huh, E.-N., Kim, Y.-W., & Lee, K.
S., Imai, H., & Prasad, R. (2006). LR-AKE-based .026)( An efficient authentication mechanism
AAA for network mobility (NEMO) over wireless for fast mobility service in MIPv6. In Computa-
links. IEEE Journal on Selected Areas in Com- tionalScienceandItsApplications—ICCSA026
munications, 24(9), 1725-1737. (LNCS 3981).
Janevski, T., Tudzarov, A., Janevska, M., Stojanovs- Leu, J.-S., Lai, R.-H., Lin, H.-I., & Shih, W.-K.
ki, P., Temkov, D., Kantardziev, D., et al. (2006). (2006). Running cellular/PWLAN services:
Unified billing system solution for interworking Practical considerations for cellular/PWLAN ar-
of mobile networks and wireless LANs. In Pro- chitecture supporting interoperator roaming. IEEE
ceedings of the IEEE Electrotechnical Conference Communications Magazine, 44(2), 73-84.
MELECON026 (pp. 717-720).
Li, J., Ye, X.-M., & Tian, Y. (2006). Topologi-
Jeong, J., Chung, M. Y., & Choo, H. (2006). Secure cally-aware AAA overlay network in mobile IPv6
user authentication mechanism in digital home net- environment. In Networking026 (LNCS 3976).
work environments. In Embedded and Ubiquitous
Long, M., & Wu, C.H.
- .026)(Energy-efficient
Computing (LNCS 4096).
and intrusion-resilient authentication for ubiquitous
Jeong, K. C., Lee, T.-J., Lee, S., & Choo, H. (2006). accesstofactoryoor fl information.
IEEE Transac-
Route optimization with AAA in network mobil- tions on Industrial Informatics, 2(1), 40-47.
ity. In Computational Science and Its Applica-
Noll, J., Lopez Calvet, J. C., & Myksvoll, K. (2006).
tions—ICCSA026 (LNCS 3981).
Admittance services through mobile phone short
Kálmán, Gy., Chowdhury, M. M. R., & Noll, J. messages. In Proceedings of the International
(2007). Security for ambient wireless services. In Conference on Wireless and Mobile Communica-
Proceedings of the th 56 IEEEVehicularTechnol
- tionsICWMC’06.
ogyConference(VTC2. )70
Popescu, B. C., Crispo, B., Tanenbaum, A. S., &
Kálmán, Gy., & Noll, J..026)(SIM as a key of Kamperman, F. L. A. J. (2004). A DRM security
user identification: Enabling seamless - user iden
architecture for home networks. In Proceedings
tity management in communication networks. In of the 4th ACM Workshop on Digital Rights Man-
Proceedings of the WWRF meeting #17. agement.
Khara, S., Mistra, I. S., & Saha, D. (2006). An alter- Potlapally, N. R., Ravi, S., Raghunathan, A., & Jha,
native architecture for WLAN/GPRS integration. N. K. (2006). A study of the energy consumption
In ProceedingsoftheIEEEVehicularTechnology characteristics of cryptographic algorithms and
Conference,026,VTC026 (pp. 37-41). security protocols. IEEE Transactions on Mobile
Computing, (2), 5 128-143.
Køien, G. M. (in press). Privacy enhanced mobile
authentication. Wireless Personal Communica- Ren, K., Lou, W., Kim, K., & Deng, R. (2006).
tions. A novel privacy preserving authentication and
access control scheme for pervasive computing
Lee, C.-C., Hwang, M.-S., & Liao, I.-E. (2006).
environments. IEEE Transactions on Vehicular
Security enhancement on a new authentication
Technology,5 (4), 1373-1384.
scheme with anonymity for wireless environments.
IEEETransactionsonIndustrialElectronics, (5), Ryu, S.,3 5 & Mun, Y. (2006). An optimized scheme
1683-1687. for mobile IPv6 handover between domains based
on AAA. In Embedded and Ubiquitous Computing
Lee, M., Park, S., & Jun, S. (2006). A security
(LNCS 4096).
management framework with roaming coordinator
for pervasive services. In Autonomic and Trusted Sur,C.Rhee,
&, K.H.
- An
.026)( efficientauthen -
Computing (LNCS 4158). ticationandsimplifiedcertificate - statusmana
Authentication, Authorisation, and Access Control in Mobile Systems
ment for personal area networks. In Management tion with digital media provider companies, but in
of Convergence Networks and Services (LNCS pervasive environments, users may also require a
4238). waytohaveafine-grainedsecurityinfrastructure
in order to control access to own content.
Sur, C., Yang, J.-P., & Rhee, K.-H. (2006). A new
efficientprotocolforauthenticationand certificate
Extensible Authentication Protocol (EAP):
status management in personal area networks. In EAP, a exible
fl protocol family, which includes
ComputerandInformationSciences—ISCIS 026 IKE protocols, and also the default authen-
TLS,
(LNCS 4263). tication method of UMTS, EAP-AKA.
Zhang, Y., & Fujise, M. (2006). An improvement International Mobile Subscriber Identity
for authentication protocol in third-generation (IMSI), Temporary-IMSI (TMSI): IMSI and
wireless networks. IEEE Transactions on Wireless TIMSI is the unique identity number used in
Communications, 5
(9), 2348-2352. UMTS to indentify a subscriber. The temporary
one is renewed from time to time, and that is the
only one that is used over the air interface.
kEy tErMs Public Key Infrastructure (PKI): PKI is a
service that acts as a trusted third party, manages
Authentication, Authorisation, and Ac- public keys, and binds users to a public key.
counting (AAA): AAA is a system that handles
all users of the system to ensure appropriate right Remote Authentication Dial in User Ser-
management and billing. vice (RADIUS): RADIUS is the de facto remote
authentication standard over the Internet. It uses
Converged Network: Converged network is UDP as a transport method and is supported by
anetworkcarryingvarioustypesoftraffic. Such
software and hardware manufacturers. Privacy
a network is providing services to different ter- problems may arise when used on wireless links,
minals, which can access and exchange content since only the user password is protected by an
regardless of the current networking technology MD5 hash.
they are using.
Rivest-Shamir-Adleman (RSA): RSA is the
Diameter: Diameter is a proposed successor de facto standard of public key encryption.
of RADIUS. It uses TCP as a transport method
and provides the possibility to secure transmis- Smart Card: Smart card is a tamper resistant
sions with TLS. It is not backward compatible pocket sized card, which contains tamper resistant
with RADIUS. non-volatile storage and security logic.
Digital Rights Management (DRM): DRM Subscriber Identity Module (SIM): SIM is the
is a software solution that gives the power for the smart card used in GSM and UMTS (as USIM) net-
content creator to keep control over use and redis- works to identify the subscribers. It has integrated
tribution of the material. Used mostly in connec- secure storage and cryptographic functions.
Chapter XIV
Trustworthy Networks,
Authentication, Privacy,
and Security Models
Yacine Djemaiel
University of the 7th of November at Carthage, Tunisia
Slim Rekhis
University of the 7th of November at Carthage, Tunisia
Noureddine Boudriga
University of the 7th of November at Carthage, Tunisia
AbstrAct
Wireless networks are gaining popularity that comes with the occurrence of several networking technolo-
gies raising from personal to wide area, from centralized to distributed, and from infrastructure-based
to infrastructure-less. Wireless data link characteristics such as openness of transmission media, makes
these networks vulnerable to a novel set of security attacks, despite those that they inherit from wired
networks. In order to ensure the protection of mobile nodes that are interconnected using wireless pro-
tocols and standards, it is essential to provide a depth study of a set of mechanisms and security models.
In this chapter, we present the research studies and proposed solutions related to the authentication,
privacy, trust establishment, and management in wireless networks. Moreover, we introduce and discuss
the major security models used in a wireless environment.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Trustworthy Networks
been provided. The solutions were made to cope makes trust management a challenging problem
with the features of the wireless environment and to address.
the mobile nodes. In this chapter, we present the
research work and security solutions related to trust Establishment basis
authentication, privacy, and trust management.
Moreover, we introduce and discuss the major Trust describes a set of relations among entities
security models used in a wireless environment. engaged in various protocols, which are established
The first section of this chapter takes based on interest
a body of assurance evidence. A trust is
to the concept of trust, which can be defined established as between two different entities further
the firm belief in the competence of an entity to
to the application of an evaluation metric to trust
act dependably, securely and reliably within a evidence. The established relations may be com-
specifiedcontext.Startingfromthisdefinition, posed with otheritis trust relations to generate new
significantthattrustimpliesalevel ofuncertainty
relations. Trustmayinfluencedecisionsincluding
and judgment. This may depend on many factors access control. To clarify the process of trust es-
due to risks associated to wireless networks. In this tablishment, we consider the following example.
section,wedefinethetrustinwireless context
Assume and
two trust relations A and B. Relation A
discuss its models. states that “acertificationauthorityCA1accepts
The second section discusses the authentication, entity X’s authentication evidences” and is estab-
which is a crucial mechanism that ensures that a lished off-line upon delivery of some evidences
resource is used by the appropriate entities. Actors, (e.g., identity, employment card) by X to B. Upon
architecture, and issues related to authentication theestablishmentofA,thecertificationauthor
in wireless environment are discussed. CA1 issues a certificate binding a public key to
The third section discusses authentication X. Then, it stores the relation in its trust database
models and protocols in wireless LAN (WLAN), registeringXwithitscertificate. B statesRelation
cellular, ad hoc, wireless mobile access networks that “acertificationauthorityCA2acceptsCA1’s
(WMAN) networks. As Mobile IP is becoming authentication of any entity registered by CA1”.
a unifying technology for wireless networks, To establish B,certificationauthority CA2 may ask
allowing mobile nodes to change their point of CA1 to deliver some evidences such as: (1) CA1’s
attachment without loosing their connections, a authentication of entities is done using satisfac-
particular interest is also given to authentication tory mechanism and policy; and) certification 2(
in Mobile IP. authority CA1’s trust database is protected using
The fourth section of this chapter discusses satisfactory security mechanisms and policies.
privacy regarding location and transaction in wire- The establishment of such trust relation leads to
less environment. The fifth section presents the publication two of a certificate CA2,signed by
aspects regarding security modeling in wireless associating CA1’s public key. The relation is then
environments. The first is related - to the
stored inspecifi
CA2’s trust database. The composition
cation of trust, modeling, and verification. of the twoThe trust relations leads to the acceptance
secondaddressesthespecificationand verification
of CA1’s authentication of X by CA2.
of security policies that take into consideration One of the main properties that need to be
wireless threats. handled during trust establishment techniques is
transitivity. To decide whether a trust relation is
transitive or not, evidences used to establish trust
trust MAnAgEMEnt should ensure (1) availability, meaning that evi-
dences can be evaluated at any time by the entities
Trust management represents the skeleton of any wishing to establish trust; (2) uniformity, meaning
network security framework. The absence of a that evidences satisfy the same global metrics of
centralized entity, for example, in ad hoc networks adequacy, (3) stability, which means that authen-
0
Trustworthy Networks
tication mechanism cannot change accidentally or establish trust. Therefore, trust relations should
intentionally, and (4) log-term existence, meaning be established using incomplete or uncertain trust
that evidences last as long as the time used to gather evidences, based on the incomplete amount of
and evaluate it. information that each node holds.
When nodes plan to communicate, they must
need for trust Management in Mobile initially interact with each other and establish a
networks certain level of trust. The change of such level
may be triggered further to interaction between
While there are extensive research works that neighboring nodes or further to a recommenda-
contributed to the management of trust in complex tion from a third party. As a node in the MANET
systems, the great majority of them was set up for has only a partial view of the whole network, ad-
fixed infrastructures; assumed long- - term
ditionalavail
mechanisms should be designed to allow
ability and validation of evidences; and generated these nodes identifying valid trust evidences and
lengthy validation process. Several characteristics prevent intruders from altering them or modify-
of wireless networks including unreliable transmis- ing the trust value of other nodes. To clarify this
sion range and topology changes made trust man- issue, Figure 1 depicts two networks. In the first
agement a challenging task. The focus on ad hoc network, users User1x need to communicate very
networks was based on the fact that these networks often with server Server1. In the second network,
are self-organized and barely suppose the existence users User2x need to communicate very often
of trustworthy nodes. In infrastructure-based wire- with server Server2. Different trust relations can
less networks such as cellular networks and WLAN, be established. Nodes in network 1 and 2 trust
the base stations (BSs) (or access points [APs]) are each otherbasedonidentitycertificateswhicha
considered trustworthy. Three main requirements registered bycertification CA1 authority
and CA2,
needtobefulfilledbytrustestablishment process
respectively. In this scenario, User12 has lost com-
in wireless ad hoc networks. First, trust should be munication with server 1 and User11, because it
established in a distributed manner without a pre- moved out of the coverage. Some among User2x can
established trust infrastructure. In fact, connectiv- be found under the communication range of User12.
itytocertificationauthorities’directory servers
To reach Server1, User12in has to authenticate itself
the node’s home domain cannot be guaranteed in to any User2x and get access to the second ad hoc
mobile ad hoc network (MANET) when needed. network. To do so, User1 2 provides itscertificate
As a consequence, trust establishment in MANET (as signed by CA1) to User21. User21 has to decide
must support peer-to-peer trust relations. whether to accept such trust evidence. Assume now
Second, trust establishment should be per- that the access policy requires that any node that
formed online and trust relations should have wants to access the ad hoc network should provide
short-life period. This is mainly due to the fact that avalididentitycertificatefromatrustedauth
in MANET, when a node moves randomly from a Thus,User21shouldcontactitstrusted - certifica
location to another, its security context may change. tion authority CA2
( ) and get the CA1 certificate
For instance, when a node moves to a location in signed by CA2. After that, User21 will be able to
which its compromise becomes possible, any trust validthecertificateofUser12.Transitivityofthe
relation that involves such node should be with- trust relation is thus established.
drawn. Such behavior should not affect network
connectivity and new trust evidences should be recent Advances in trust
gathered as a consequence. Third, trust establish- Management
ment should be tolerant to incomplete evidence or
unavailable trust relations. In fact, in MANET, it Former trust establishment solutions focused
becomes unfair to suppose that all evidences are mainly on procedures to locate the communicating
available to all nodes when they are required to peer’s certificate in order to determine - the cr
Trustworthy Networks
CA CA
Server
Server
User User
User
User
Ad-hoc network User
Broken link
Communication link
Ad-hoc network
Trust relation
tographic key. In this context, Balfanz, Smetters, contains the signature on the selected binding
Stewart, and Wong (2002) base its solution on from the received secret list. These certificat
using a location-limited channel to allow nodes will therefore be stored locally. The value of k is
performing pre-authentication of each other. As chosensothatthereisasufficienttrustrelati
the propagation of the channel is limited, intrud- in the network and the distribution scheme should
ers have an outside chance to mount a successful ensure the certainty of being able to establish a
passive attack. While pre-authentication does not trust chain between any two nodes.
require a heavy bandwidth, the existence of loca- After the system bootstrapping - phase is fin
tion-limited channel represents a very restrictive ished, there is no need for the secret dealer to
assumption. The approach proposed in Ren et al. continue existing. To accommodate the dynamic
(2004) assumes a minimum storage requirement changing of the network structure, every node is
to establish trust in mobile ad hoc networks. A assumed to be able to establish independent trust
centralized secret dealer is introduced into the relationship with at least two nodes.
network during the system bootstrapping phase When a node leaves the network properly, it
and is supposed to be trusted by all nodes. Every broadcasts information about its departure and
node is assumed to have a pair of public/private signs them. Consequently, the receiving nodes
key where the public key is known by the secret revokethecertificatethatwasissued - tothat
dealer. ing node. One major advantage of this solution
Inthefirstpart of
bootstrapping, every network lies in the fact that (1) it decreases the length of
node receives a pre-computed short list, say SL, the trust path, and (2) it is slightly affected by the
from the secret dealer. SL represents k tuples bind- dynamic nature of the ad hoc network. However,
ingnodeidentifierstorelatedpublic keys.These
guaranteeing that sufficient trust relation
bindings are distributed symmetrically, meaning exist in the network requires a large care during
thatifnodejreceivesthenodeidentifier ofiof
the selection and
value of k.
its corresponding public key, then node i will also On one hand, the work in Baras and Jiang
receivesnodeiidentifieranditspublic (2004)key.Intheto investigate the stability of trust
proposed
second part of the bootstrapping phase, each node establishment by modeling a MANET as an indirect
generates k certificates, one certificate for every
graph where edges represent pre-trust relations.
receivedbinding,assumingthateveryThe certificate
two authors cast the problem of trust com-
Trustworthy Networks
putation and evaluation by every individual node etc.). Finally, a TTP is an entity that is mutually
as a cooperative game and base it on elementary trusted by the supplicant and the authenticator and
voting methods. In Theodorakopoulos and Baras facilitating mutual authentication between the two
(2004), the process of trust relation establishment parties (Aboudagga, Refaei, Eltoweissy, DaSilva,
is formulated as a path problem on a weighted Quisquater,
& An
.)052 authenticationprocessis
directed graph. The vertices in the graph represent made up of a set of messages that are exchanged
the entities and a weighted edge (i, j) represents between these actors (as e illustrated by Figure
the opinion that entity i has about entity j. Such 2). Authentication includes four components as
opinion consists of two numbers: the trust value follows: (1) “S” denotes the supplicant; (2) “D”
and the confidence value. The trust value denotes is
the an
destination mobile node; (3) “As” de-
estimate of the trustworthiness of the target, while notes the authenticator; and (4) “Ad” denotes the
theconfidencevaluecorrespondstothe accuracy
destination authentication server. Adding a TTP
related to the assignment of the trust value. Using to this model introduces additional exchanged
the formal theory of semirings, one can show how messages in order to establish trust between the
two nodes can establish an indirect trust relation different interacting nodes.
without previous direct interaction. For that case,
two operators were developed allowing to combine Authentication Management
trust opinions along different paths and compute the Architecture
trust-confidencevaluebetweenpairofnodes.
An authentication system is based on an authenti-
cationprotocolthatfixestheinteractionbet
gEnErAl ModEls for the different components described previously.
AutHEntIcAtIon In wIrElEss The interaction is made using a set of messages
nEtworks between system components. In a wireless environ-
ment, node mobility offers many advantages, but
In addition to authentication solutions applied to at the same time it may affect the overall system
specificwirelesstechnologies,somegeneral efficiency. Consequently, deploying an
models - authenti
are introduced in wireless networks. This section cation system in a wireless environment needs to
discusses these models. consider several aspects including authenticators’
number and placements. The choice made on the
Actors in an Authentication system placement of these servers has an effect on the
time spent to authenticate a mobile node and the
Basically, an authentication system is composed of packet loss ratio. Typically, two strategies may
three actors: (1) a supplicant, (2) an authenticator, be adopted concerning the authentication servers
and (3) a trusted third party (TTP). The supplicant is placement. The former aims at placing authentica-
an entity that requests access to network resources. tion servers on the same network within mobile
It may be a person, or an application running on nodes.Thissolutionleadstoroutethetwotraf
a mobile node. The access to protected resources exchanged
( dataandauthenticationtraffic)withi
is gained only if the credentials provided by the the same network. Consequently, the contention
supplicant are validated by the authenticator. In an and the packet loss ratio are increased. However,
authenticationsystem,acredential theistime
anidentifier
spent during authentication is reduced
that is used by an authenticator to check whether compared with the second solution that aims to
the supplicant is authorized. It may be symmetric place authentication servers outside of the net-
key, a public/private key pair, a generated hash, work and thus forwarding authentication traf
or some contextual information such as physi- outwards. The latter solution reduces the packet
cal characteristic that uniquely - identifies a sup the network bandwidth for
loss ratio and liberates
plicant (e.g., GPS location, signal to noise ratio, useful traffic.
Trustworthy Networks
Trustworthy Networks
one held by the server) are taken, vary consider- techniques to protect stored credentials. Some se-
ably over time since they are taken under different curity protocols are used to secure credentials. As
working conditions. Therefore, two samples of the DQH[DPSOHRIWHFKQLTXHVWKDWIXO¿OWKHVHQHHGVZH
VDPHREMHFWVXFKDVD¿QJHUSULQWJHQHUDWHGE\ mention the proposed scheme in I-En, Cheng-Chi,
two different sensors are most likely not identical. DQG0LQ6KLDQJWKDWVXSSRUWVWKH’LI¿H
Cryptographic hash functions however, do not Hellman key agreement protocol over insecure
usually preserve distances and hence two samples networks and function according to three phases:
of the same object may result in different digests registration, phase, and authentication.
at different conditions. This scheme employs basic concepts, such as
Introducing sampling in the authentication one-way hash function and discrete logarithm
process may be a solution to reduce bandwidth and problem. During the registration phase, the
power requirements in a wireless environment. As server assigns smart cards to the users requesting
an example of schemes that follow this principle, registration. The registration phase is performed
LAWN is a remote authentication protocol that only when a new user needs to join the system.
enables repetitive remote authentication with large However, the login and authentication phases are
keys (Arnab, Rajnish, & Umakishore, 2005). This performed at each user login attempt. During
approach is motivated by the concept of a holo- UHJLVWUDWLRQ WKH XVHU FKRRVHV DQ LGHQWL¿HU ,’
graphic proof (Polishchuk & Spielman, 1994; Spiel- and a password (PW), it computes h(PW) using a
man, 1995). A holographic proof is a proof of some one-way function h. ID and h(PW) are sent to the
fact, so constructed. To verify the proof, one does server through a secure channel. After receiving
not need to scan through its entire length (Arnab the registration message, the server calculates
HWDO7KHYHUL¿FDWLRQSURFHVVLVOLPLWHGWR B g
h ( x ID ) h ( PW )
mod p , where p is a large prime
the examination of small parts randomly selected. number initially selected by the server, and g is
According to this technique, a small sample of the a primitive number in GF(p). After computing
authentication token is prepared, which can be used B, the server issues a smart card holding ID, B,
at the remote end to perform authentication with p, g and delivers it to the user securely. During
high probability of correctness. This technique login, the user inserts the smart card to a termi-
allows saving bandwidth and power, since if the nal and introduces his/her ID and PW. Then, the
length of the original authentication token is n, then terminal generates a login request message based
the selected sample is only O(logn). As samples on introduced information then it sends it to the
may be different, a function that computes the dif- server. At the server side, B " g h ( x ID ) R mod p is
ference between the patterns is needed. This may computed, where x is the server’s secret key, ID
be achieved by computing the Hamming distance is the user’s identity, and R is a random number
that gives as a result the number of bit positions generated by the server. After that, the server
where two strings differ in. calculates h(B'') and sends it in addition to R to
In the following, several general authentication the user. When received at the user side, the user’s
techniques are detailed. smart card computes B ' ( Bg h ( PW ) ) R mod p and
the validity of the server is checked by comparing
Password Authentication h(B') and h(B'').
If the server is considered valid, the user’s
Password authentication is among the solutions module computes C h(T B ' ) , where T is the
that are frequently required in wireless networks. timestamp associated to the current login, other-
Implementations according to this principle are wise the server is considered invalid and the user
vulnerable to multiple attacks that generally have moves again to the login phase. At this step, the
targeted stored passwords or passwords sent user’s module sends (ID, C, T) to the server. Af-
across the network. As a solution to these threats, ter receiving the request, the server performs the
a proposed scheme should include cryptography checks to determine whether the user is allowed
Multimedia Encryption
(Lian, Sun, & Wang, 2004a). These algorithms more popular. Combined with them, some video
obtain high perceptual security and encryption encryption algorithms have been proposed, which
efficiency. In JPEG20 image encryption, only saves time cost by encrypting the compressed video
thesignificantstreamsintheencoded data data stream
selectively or partially.
are encrypted (Ando, Watanabe, & Kiya, 2001, In MPEG1/2 codec, the signs of DCT coef-
2002; Lian, Sun, & Zhang, 2004b; Norcen & Uhl, ficients are encryptedvideo with the
encryption
2003; Pommer & Uhl, 2003), which is selected algorithm (VEA) (Shi & Bhargava, 1998a), the
according to the scalability in space or frequency signsofdirectcurrentcoefficients - (DCs)andmo
domain. These algorithms often keep secure in tion vectors are encrypted with a secret key (Shi &
perception. Figure 2 gives the encryption result Bhargava, 1998b), the base layer is encrypted while
of the algorithm proposed in Lian et al., 2004b). the enhancement layer is left unencrypted (Tosun
As can be seen, the encrypted image is unintel- Feng,
& a)
1 02 the
, DCTcoefficientsarepermuted
ligible. Additionally, in these algorithms, no more (Lian, Wang, & Sun, 2004c; Tang, 1996), or the
than 20% of the data stream is encrypted, which variablelengthcoding(VLC)tablesaremodified
obtainshighefficiency. by rearranging, random bit-flipping, or random
Partial video encryption. Compared with bit-insertion (Wu & Kuo, 2000, 2001).
images or audios, videos are often of higher re- In MPEG4 codec, the Minimal Cost Encryption
dundancy, which are compressed in order to save Scheme (Kim, Shin, & Shin, 2005) is proposed
the transmission bandwidth. Among the video to encrypt only the first 8 bytes in- the macro
codecs, MPEG1/2, MPEG4, and H.264/AVC are blocks (MBs) of a video object plane (VOP). It
Figure 3. VideoencryptionbasedonAVCcodec
Multimedia Encryption
is implemented and proved suitable for wireless sion errors are often spread out due to encryption
terminals. A format-compliant configurable - en ciphertext-sensitivity (Mollin, 2006).
algorithms’
cryption framework (Wen, Severa, Zeng, Luttrell, In wireless/mobile applications, some means should
& Weiyin, 2002) is proposed for MPEG4 video be taken to reduce the error propagation.
encryption,whichcanbereconfiguredforagiven Constructing the encryption algorithms based
application scenario including wireless multimedia on error correction code may be a solution. For
communication. example, the encryption algorithm based on
In H.264/AVC codec, the intra-prediction mode forward error correction (FEC) code is proposed
of each block is permuted with the control of the key in Tosun & Feng, 2001b), which permutes the
(Ahn, Shim, Jeon, & Choi, 2004), which makes the information-bits and complements a subset of
video data degraded greatly. Some other algorithms the bits. The encryption algorithm can preserve
(Lian, Liu, & Ren, 2005a; Lian, Liu, Ren, & Wang, the error robustness of the encrypted multimedia
026a) encrypt the DCT coefficients and motion data, that is, the encrypted data stream can realize
vectors with sign encryption. For these algorithm error correction itself. Additionally, the encryption
encrypt both the texture information and motion algorithmisimplementedveryefficientlybecause
information, they often obtain high security in of the simple encryption operations. Thus, it has
human perception. Figure 3 shows the results of some desirable properties suitable for wireless
the algorithm proposed in Ahn et al. (2004) and multimedia transmission. However, the disad-
the one proposed in Lian et al. (2005a). As can be vantage is also clear that it is not secure against
seen, the video encrypted by the former algorithm known-plaintext attacks.
is still intelligible, while the video encrypted by Another solution is to change the block length
the latter algorithm is unintelligible. Thus, for in data encryption. Generally, the block length is in
high security, the latter encryption algorithm is close relation with the error propagation property.
preferred. Taking stream cipher and block cipher for examples,
the former one is of low error propagation, while
communication compliant the latter one is often of high error propagation.
Encryption Generally, the bigger the block length is, the higher
the error propagation is. Due to this case, a robust
Multimedia data are often encrypted before being encryption scheme for secure image transmission
transmitted. In the encrypted data stream, transmis- over wireless channels is proposed in Nanjunda,
Video
K
...
Frame 0 Frame 1 Frame N-1
K0 K1 KN-1
...
Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1
K0 K0 K0 K1 K1 K1 KN-1 KN-1 KN-1
Multimedia Encryption
Encryption Cut
Multimedia Encryption
Figure 5, which encrypts only the base layer and trary, the watermarking algorithms with lost cost
middle layer in the three layers (base layer, middle are often of low security or robustness. This con-
layer, and enhancement layer) of an MPEG2 video tradiction becomes a problem in wireless/mobile
stream. In this algorithm, the enhancement layer environment when the limited energy or computing
is left unencrypted, which can be cut off directly. capability is provided. Experiments have been done
Wee and Apostolopoulos (2001, 2003) and Zhu, to analyze the energy consumption, complexity
Yuan, Wang, and Li (2005) proposed the algorithms and security level of multimedia watermarking
for secure scalable streaming enabling transcod- on mobile handheld devices (Kejariwal, Nicolau,
ing without decryption. Generally, the stream is Dutt, & Gupta, 2005). And some conclusions are
partitioned into segments according to the cipher’s drawn: (1) the security level often contradicts with
code length. To change the bit-rate, some segments energy consumption, (2) watermark extraction/
at the end of the stream are cut off directly. detection may be of higher cost than watermark
embedding, and (3) image resolution affects the
energy consumption. To conquer these problems,
tHE wAtErMArkIng AlgorItHMs some proposals are presented, for example, intro-
for wIrElEss MultIMEdIA duce the tunable parameter to obtain trade-offs
between security level, energy consumption, and
Watermarking algorithms (Barni & Bartolini, other performances, or move some computationally
2004; Cox et al., 2002) are generally composed expensive tasks to mobile proxies.
of two parts, that is, watermark embedding and
watermark extraction/detection. Generally, wa- Mobile Agent based task Partitioning
termarking algorithms should be robust to some
operations, such as recompression, A/D or D/A Mobile agents use the proxies as agents that can
conversion, noise, filtering, and so forth andto
connect can
a range of heterogeneous mobile ter-
survive such attacks as geometric attack, collusion minals. Using mobile agents to reduce the load of
attack, copy attack, and so forth. Similar to encryp- the server or terminals has been widely studied
tion algorithms, some watermarking algorithms (Burnside et al., 2002; Rao, Chang, Chen, & Chen,
may be of high security and robustness, but they 2001). If the mobile agent can implement water-
are also of high time or energy cost. On the con- mark embedding or extraction/detection, then the
terminals’ computing load will be greatly reduced.
Multimedia Encryption
Watermark
Watermark
Multimedia Encryption
Media data
Watermark
MDC
Encode
MDC
Decode
Extracted
watermark
Multimedia Encryption
Media
Server
Content
Access Right
Multimedia Encryption
watermarkedfilesareencryptedthen distributed
multimedia data should be decrypted before being
over p2p networks. The customer can access the watermarked. In some applications, if the operation
encrypted music files, while must applytriple for the
decryption-watermarking-encryption can be
right from the server before he can decrypt the avoided, the operation cost will be reduced greatly.
files.Thewatermarkextractedfromthe Inmusic filethe encrypted multimedia data can
this case,
can prove the legality of the music. be watermarked directly without decryption, and
the watermark can be extracted directly from the
secure Multimedia distribution encrypted or decrypted multimedia data. This kind
of watermarking-encryption pair is named com-
In secure multimedia distribution, multimedia mutative watermarking and encryption (CWE). A
data are transmitted from the server to customers practical scheme is proposed in Lian, Liu, Ren, and
in a secure way. In this case, the confidentiality Wang (2006c), which is based on partial encryption.
can be protected, and the illegal distributor who In this scheme, multimedia data are partitioned into
redistributes his/her copy to other customers can two parts, that is, the perception significant pa
be traced. Generally, both encryption and water- and the robust part, among which, the perception
marking technology are used. Till now, three kinds significantpartisencrypted,whiletherobustpa
of schemes have been proposed, which embed is watermarked. Thus, the encryption and water-
watermarks at the server side, in the router or at marking are independent of each other, and they
the client side, respectively. In thesupport first kind of
the commutative operations.
scheme, the customer information is embedded
into multimedia data at the server side before mul-
timedia encryption. This scheme is more suitable oPEn IssuEs
for unicast than for multicast or broadcast because
itisdifficultfortheservertoassign - differentcopbetween format
contradiction
ies to different customers simultaneously. In the Independence and format
second kind of scheme, the customer information compliance
is embedded by the routers in lower level (Brown,
Perkins, & Crowcroft, 1999), which distributes To keep low cost, partial encryption scheme is used
the server’s loading to the routers. This scheme to encrypt multimedia data, which keeps format
reduces the server’s loading, but also changes the compliant. Thus, for different multimedia data or
network protocols. In the third kind of scheme, the different codec, the encryption algorithms are often
customer information is embedded at the customer different. If various multimedia data are included in
side(Bloom,This . ) 30 2 schemeistimeefficient,an application, then various encryption algorithms
but the security is a problem because of the isola- should be used, and some extra information is re-
tion between decryption and watermarking. Some quired to tell which encryption algorithm has been
means (Anderson & Manifavas, 1997; Kundur & used. Compared with format compliant encryption,
Karthik, 2004; Lian, Liu, Ren, & Wang, 2006b) format independent encryption regards multimedia
have been proposed to improve the security, which data as binary data and is easy to support various
combine decryption with watermark embedding. data. Thus, for the applications with versatile data,
These combined methods improve the system’s format independent encryption is more suitable.
security at the same time of keeping low cost. For example, in such DRM systems as internet
streaming media alliance (ISMA), advanced access
commutative watermarking and content system (AACS), or open mobile alliance
Encryption (OMA) (Kundur et al., 2004), the algorithms,
advanced encryption standard (AES) and data
Generally, watermarking operation and encryp- encryption standard (DES), are recommended to
tion operation are separate. That is, the encrypted encrypt multimedia data not considering the fil
Multimedia Encryption
format. Thus, for practical applications, the trade- key Management in Mobile
off between computational cost and convenience Applications
is to be made, which determines which kind of
algorithm should be used. Multimedia encryption and watermarking can
both be controlled by the keys; key management
standardization of watermarking needs to be investigated. For example, whether
Algorithms the encryption key should be independent of the
watermarking key, and how to assign different
Compared with encryption algorithms that have decryption keys to different customers in mul-
been standardized to some extent, watermarking timedia distribution? Additionally, for multic
algorithms are still in study. For the diversity of or p2p networks, key generation and distribution
multimedia content, the difficulty in(Cherukuri, multimedia 2004; Eskicioglu, 2002) are important
understanding and the variety of applications, it topicsnotonlyinfixednetworksbutalsoinmobile
isdifficulttostandardizemultimedia - watermark
environments.
ing algorithms. Generally, they have different
performances in security, efficiency, robustness,
capacity, and so forth. Using which watermarking conclusIon
algorithm depends on the performances required
bytheapplications.Definingsuitable - watermark
In this chapter, mobile/wireless multimedia encryp-
ing algorithms will provide more convenience to tion and watermarking algorithms are introduced
wireless/mobile applications. and analyzed, including the general requirements,
various multimedia encryption algorithms, some
fingerprint Algorithms Against watermarking algorithms, the combination be-
collusion Attacks tween encryption and watermarking, and some
open issues. Among them, the multimedia encryp-
In secure multimedia distribution, collusion attack tionalgorithmsareclassifiedand-analyzedaccord
(Zhao, Wang, & Liu, 2005) threatens the system. ing to the functionalities, and the watermarking
That is, different customers combine their copies algorithms with low cost are emphasized. The
together through averaging, substitution, and so combination between encryption and watermark-
forth, which produces a copy without any customer ing brings up some new research topics, for ex-
information.Tocounterthisattack, - ample,
somefingerfingerprintorcommutativewatermarking
print encoding methods (Boneh & James, 1998; Wu, and encryption. And some open issues are also
Trappe, Wang, & Liu, 2004) have been proposed. presented, including the contradiction between
Thesemethodsgeneratedifferentfingerprint codesand format independence, the
format compliance
for different customers, and the colluded copy can standardization of watermarking algorithms, the
still tell one or more of the colluders. However, fingerprintalgorithmsresistingcollusionatt
there is still a trade-off between the watermark and the key management in mobile applications.
capacity and the supported customers, and some
new attacks are still not predicted, such as the linear
combination collusion attack (LCCA) attack (Wu, rEfErEncEs
Thus,
. )05 2 betterfingerprintencodingmethods
withgoodefficiencyareexpected. Ahn, J., Shim, H., Jeon, B., & Choi, I. (2004). Digital
video scrambling method using intra prediction
mode. In PacificRimConferenceonMultimedia,
PCM2004 (LNCS 3333, 386-393). Springer.
0
Multimedia Encryption
Alattar, A., Lin, E., & Celik, M. (2003). Digital wa- Brown, I., Perkins, C., & Crowcroft, J. (1999). Wa-
termarkingoflowbit-rateadvancedsimple profile
tercasting: Distributed watermarking for multicast
MPEG-4 compressed video. IEEE Transactions media. In Proceedings of the First International
on Circuits and Systems for Video Technology, Workshop on Networked Group Communication
13, 787-800. (LNCS 1736, pp. 286-300). Springer-Verlag.
Ambroze, A., Wade, G., Serdean, C., Tomlinson, Burnside, M., Clarke, D., Mills, T., Maywah, A.,
M., Stander, J., & Borda, M. (2001). Turbo code Devadas, S., & Rivest, R. (2002). Proxy-based
protection of video watermark channel. IEE Pro- security protocols in networked mobile devices.
ceedingsofVisionandImageSignalProcessing, In Proceedings of the 2002 ACM symposium on
148, 54-58. Applied Computing (pp. 265-272).
Anderson, R., & Manifavas, C. (1997). Cham- Chang, Y., Han, R., Li, C., & Smith, J. R. (2004).
leon—A new kind of stream cipher. In Fast Soft- Secure transcoding of Internet content. In Pro-
ware Encryption (LNCS, vol. 1267, pp. 107-113). ceedings of International Workshop on Intelligent
Springer-Verlag. Multimedia Computing and Networking (IMMCN)
(pp. 940-943).
Ando, K., Watanabe, O., & Kiya, H. (2001). Partial-
scrambling of still images based on JPEG2000. Checcacci, N., Barni, M., Bartolini, F., & Basagni,
In Proceedings of the International Conference S. (2000). Robust video watermarking for wireless
on Information, Communications, and Signal multimedia communications. In Proceedings of the
Processing, Singapore. 2000 IEEE Conference on Wireless Communica-
tions and Networking (pp. 1530-1535).
Ando, K., Watanabe, O., & Kiya, H. (2002). Par-
tial-scrambling of images encoded by JPEG2000. Cherukuri, S. (2004). An adaptive scheme to man-
IEICETransactions,J85-D-1 (2), 282-290. age mobility for secure multicasting in wireless
local area networks. Unpublished masters thesis,
Arora, S., & Emmanuel, S. (2003). Real-time
Arizona State University, Tempe.
adaptive speech watermarking scheme for mobile
applications. In Proceedings of the International Chu, S., Hsin, Y., Huang, H., Huang, K., & Pan, J.
Conference on Information, Communications & (2005). Multiple description watermarking for lossy
SignalprocessingICICS) ( —IEEEPacific-rimCon
- network. IEEE Computer Society,4, 3990-3993.
ference on Multimedia (PCM) (pp. 850-853).
Cox, I., Miller, M., & Bloom, J. (2002). Digital wa-
Ashourian, M., & Ho, Y. (2003). Multiple descrip- termarking. San Francisco: Morgan Kaufmann.
tion coding for image data hiding jointly in the
Desset, C., Macq, B., & Vandendorpe, L. (2002).
spatial and DCT domains. In ICICS 2003 (LNCS
Block error-correcting codes for systems with a
2836, 179-190).
very high BER: Theoretical analysis and application
Barni, M., & Bartolini, F. (2004). Watermark to the protection of watermarks. Signal Processing:
systems engineering. Marcel Dekker. Image Communication, 17, 409-421.
Bloom, J. (2003). Security and rights management Dutta, A., Das, S., Li, P., & Auley, A. (2004).
in digital cinema. Proceedings of IEEE Interna- Secured mobile multimedia communication for
tional Conference on Acoustic, Speech and Signal wireless Internet. In Proceedings of 2004 IEEE
Processing, 4, 712-715. International Conference on Networking, Sensing
& Control (pp. 181-186).
Boneh, D., & James, S. (1998). Collusion-secure
fingerprintingfordigital data.
IEEE Transactions Eskicioglu, A. (2002). Multimedia security in group
on Information Theory, 44(5), 1897-1905. communications: Recent progress in wired and
wireless networks. In Proceedings of the IASTED
Multimedia Encryption
Multimedia Encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006c). Mollin, R. (2006). An introduction to cryptogra-
Commutative watermarking and encryption for phy. CRC Press.
media data. International Journal of Optical En-
Nanjunda, C., Haleem, M., & Chandramouli, R.
gineering,(8),5 4 0805101-0805103.
(2005). Robust encryption for secure image trans-
Lian, S., Liu, Z., Ren, Z., & Wang, Z. (2005b). Se- mission over wireless channels. In Proceedings of
lective video encryption based on advanced video the IEEE International Conference on Communi-
coding. In ProceedingsofPacific-RimConference cations (ICC) (pp. 1287-1291).
onMultimedia(PCM2) 50 (pp. 281-290).
Norcen, R., & Uhl, A. (2003). Selective encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006a). of the JPEG2000 bitstream. In IFIP International
Secure advanced video coding based on selective Federation for Information Processing (LNCS
encryption algorithms. IEEE Transactions on 2828, 194-204).
ConsumerElectronics, 25
(2), 621-629.
Ong,C.Nahrstedt,
, Yuan,
K.& , Quality
.) W.302 (
Lian, S., Sun, J., & Wang, Z. (2004a). A novel image of protection for mobile multimedia applications.
encryption scheme based-on JPEG encoding. In In Proceedings of the IEEE International Con-
Proceedings of International Conference on Infor- ference on Multimedia and Expo (ICME2003),
mationVisualization(pp. (IV)042 217-220). Baltimore, MD.
Lian, S., Sun, J., Zhang, D., & Wang, Z. (2004b). Pal, S., Saxena, P., & Muttoo, S. (2004). Image
A selective image encryption scheme based on steganography for wireless networks using the
JPEG2000 codec. In ProceedingsofPacific-0 42 hadamard transform. In Proceedings of the 2004
Rim Conference on Multimedia (PCM2004) (LNCS International Conference on Signal Processing
3332, pp. 65-72). Springer. and Communications (pp. 131-135).
Lian, S., Wang, Z., & Sun, J. (2004c). A fast video Pan, J., Hsin, Y., Huang, H., & Huang, K. (2004).
encryption scheme suitable for network applica- Robust image watermarking based on multiple
tions. In Proceedings of International Conference description vector quantization. Electronics Let-
on Communications, Circuits and Systems, 1, ters, 40(22), 1409-1410.
566-570.
Petitcolas, F., Anderson, R., & Kuhn, M. (1999).
Linnartz, J., & Dijk, M. (1998, April 15-17). Analy- Information hiding—A survey. Proceedings of
sis of the sensitivity attack against electronic water- IEEE,87(7), 1062-1078.
marks in images. Paper presented at the Workshop
Petrescu, M., Mitrea, M., & Preteux, F. (2005). Low
on Information Hiding, Portland, OR.
rate video protection: The opportunity of spread
Liu,Q.Jiang,
&, X.Applications
. )05 2 ( ofmobile spectrum watermarking. WSEAS Transactions on
agent and digital watermarking technologies in Communications, 7(4), 478-485.
mobile communication network. In Proceedings
Pfarrhofer, R., & Uhl, A. (2005). Selective image
oftheInternational
502 ConferenceonWireless
encryption using JBIG. In Proceedings of the
Communications, Networking and Mobile Comput-
IFIP TC- 6 TC-1 international conference on
ing (pp. 1168-1170).
communications and multimedia security (CMS
Liu, X., & Eskicioglu, A. (2003). Selective encryp- ) 502 (pp. 98-107).
tion of multimedia content in distribution networks:
Podesser, M., Schmidt, H., & Uhl, A. (2002). Selec-
Challenges and new directions. In Proceedings of
tive bitplane encryption for secure transmission of
the IASTED International Conference on Com-
image data in mobile environments. In CD-ROM
munications, Internet and Information Technology
Proceedings of theth 5 IEEE Nordic Signal- Pro
(CIIT 2003). Scottsdale, AZ: ACTA Press.
cessing Symposium (NORSIG 2002).
Multimedia Encryption
Multimedia Encryption
Chapter XVII
System-on-Chip Design of
the Whirlpool Hash Function
Paris Kitsos
Hellenic Open University (HOU), Patras, Greece
AbstrAct
In this chapter, a system-on-chip design of the newest powerful standard in the hash families, named
Whirlpool, is presented. With more details an architecture and twoverylarge-scaleintegration(VLSI)
implementations are presented. The first implementation is suitable for high speed a
the second one is suitable for applications with constrained silicon area resources. The architecture
permits a wide variety of implementation tradeoffs. Different implementations have been introduced and
eachspecificapplicationcanchoosetheappropriatespeed-area,trade-offimplementat
mentations are examined and compared in the security level and in the performance by using hardware
terms. Whirlpool with RIPEMD, SHA-1, and SHA-2 hash functions are adopted by the International
Organization for Standardization (ISO/IEC, 2003) 10118-3 standard. The Whirlpool implementations
allow fast execution and effective substitution of any previous hash families’ implementations in any
cryptography application.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
The Provably Secure Formal Method
The design and analysis of secure key agree- Concurrent composition is a fact of life of real
ments protocols has proved to be a non-trivial task, network settings. Protocols that are proven secure
with a large body of work written on the topic. in the stand-alone model are not necessarily secure
Among the methods for the design and analysis undercomposition.Therefore,itdoesnotsuffice
of key agreement protocols, formal methods have to prove that a protocol is secure in the stand-alone
always been a focused problem in the international model. UC security model proposed by Canetti in
investigation of cryptography. Over the years, 2001 (Birgit & Michael, 2001) is for representing
two distinct views of formal methods, symbolic and analyzing cryptographic protocols under con-
logic method and computational complexity current circumstance (Yeluda, 2003). The salient
method, have developed in two mostly separate propertyofdefinitionsofsecurityinthisframework
communities (Martin & Phillip, 2002). The sym- is that they guarantee security even when the given
bolic logic method relies on a simple but effective protocol is running in an arbitrary and unknown
symbolic formal expression approach, in which multi-party environment. An approach taken in
cryptographic operations are seen as functions this framework is to use definitions that tre
on a space of symbolic formal expressions (e.g., the protocol as stand-alone but guarantee secure
BAN, communicating sequential processes [CSP], composition. Security in complex settings (where a
NRL) (Wenbo, 2004). The other one, computational protocol instance may run concurrently with many
complexity method, relies on a detailed computa- other protocol instances, or arbitrary inputs and in
tional model that considers issues of complexity an adversary controlled way) is guaranteed via a
and probability of successful attacks, in which general composition theorem. On top of simplifying
cryptographic operations are seen as functions theprocessofformulatingadefinition - andanalyz
on strings of bits. ing protocols, this approach guarantees security in
Provably secure formal method, which is based arbitrary protocol environments, even unpredict-
on the computational complexity method, is a very able ones that have not been explicitly considered.
hot research point at present. Its salient property The abstract level of UC security goes far beyond
is that the security protocols designed by them other security models, therefore, it tends to be
are provably secure. Among the provably secure morerestrictivethanotherdefinitionsofsecu
formal methods, CK model and UC security model The most outstanding nature of UC framework is
are very popular. its modular design concept: may alone design a
In 2001, Canetti and Krawczyk presented the protocol,solongastheprotocolsatisfiestheUC
CK model for the formal analysis of key-exchange security, it can be guaranteed secure while runs
(KE)protocols.Asession-keysecuritydefinition concurrently with other protocols.
and a simple modular methodology to prove a This chapter focuses mainly on the introduction,
KE protocol with this definition are introduced analysis, and applications of these two provably
in this model. One central goal of the CK model secure formal methods. The rest of this chapter
istosimplify the usabilityofthedefinition is organized via a
as follows. The next section, the CK
modular approach to the design and analysis of model and the UC security model are introduced.
KE protocols. It adopts the indistinguishability In the third section, we analyze the security of the
approach (Bellare, Canetti, & Krawczyk, 1998) to CK model. A bridge between this formal method
definesecurity:AKEprotocoliscalledsecure if
and the informal method (heuristic method) is
under the allowed adversarial actions it is infeasible established. What is more, the advantages and
for the attacker to distinguish the value of a key disadvantages of the CK model are given. In
generated by the protocol from an independent the Universally Composable Anonymous Hash
random value. The security guarantees that result Certificationsection, Modelan extension of the
from the proof by the CK model are substantial as UC security model is presented. The UC security
they capture many of the security concerns in the model fails to characterize the special security
real communications setting. requirements of anonymous authentication with
The Provably Secure Formal Method
otherkindofcertificates.Thereforethe UCsecurity
exists) is said to be matching to the session (A, B,
model is extended, and a new model—Universally X, Y). Matching sessions play a fundamental role
Composableanonymoushashcertification inthe model
definitionofsecurityCanetti ( Krawczyk,
&
is presented. In this model, an anonymous hash 2001).
certification ideal function is introduced, which
fulfills the identity authentication Attackerby binding
Model
the identity to special hash values. In addition, a
moreuniversalcertificateCAmodelis presented,
The attacker is modeled to capture realistic attack
whichcanissuethecertificatewithspecific capabilitiesform
in open networks, including the control
for
( example hash value). In the fifth section, we
of communication links and the access to some
analyze the four-way handshake protocol in 802.11i of the secret information used or generated in the
with the CK model and UC security model. In protocol. The attacker, denoted M, is an active
sixthsection,first,theauthentication modulesinadversary with full control
“man-in-the-middle”
the Chinese WLAN national standard WAPI and of the communication links between parties. M
its implementation plan are analyzed with the CK can intercept and modify messages sent over these
model. Then we point out that how the implemen- links, it can delay or prevent their delivery, inject
tation plan overcomes the security weaknesses in its own messages, interleave messages from dif-
the original WAPI. The last two sectionscontain ferent sessions, and so forth. (Formally, it is M to
the future trends and conclusions. whom parties hand their outgoing messages for
delivery.) M also schedules all session activations
and session-message delivery. In addition, in order
bAckground ovErvIEw to model potential disclosure of secret information,
the attacker is allowed access to secret information
Definition 1: Key-agreement protocol via session exposure attacks (a.k.a. known-key
(Menezes, Van Oorschot, & Vanstone, 1996). attacks) of three types: state-reveal queries, ses-
A key-agreement protocol or mechanism is a key sion-key queries, and party corruption.
establishment technique in which a shared secret
is derived by two (or more) parties as a function • State-reveal query: A state-reveal query
of information contributed by, or associated with, is directed at a single session while still in-
each of these, (ideally) such that no party can pre- complete (i.e., before outputting the session
determine the resulting value. key) and its result is that the attacker learns
The CK model and UC security model are very the session state for that particular session
popular provably secure formal methods for key- (which may include, for example, the secret
agreement protocols at present. In this section, these exponent of an ephemeral Diffie-Hellman
two security models are introduced respectively, algorithm (DH) value but not the long-term
and the relationship between the - security
privatedefini
key used across all sessions at the
tions in these two models is also given. party).
• Session-key query: A session-key query can
the canetti-krawczyk Model be performed against an individual session
after completion and the result is that the
A KE protocol is run in a network of interconnected attacker learns the corresponding session
parties where each party can be activated to run key.
an instance of the protocol called a session. A KE • Party corruption: Party corruption means
session is a quadruple (A, B, X, Y) where A is the that the attacker learns all information in
identity of the holder of the session, B the peer, X the memory of that party (including the
the outgoing messages in the session, and Y the long-term private key of the party as well
incoming messages. The session (B, A, Y, X) (if it all session states and session keys stored
The Provably Secure Formal Method
at the party); in addition, from the moment generated by protocol p. The attacker M is not al-
a party is corrupted all its actions may be lowed state-reveal queries, session-key queries, or
controlled by the attacker. Indeed, note that party corruption on the test-session or its matching
the knowledge of the private key allows the session. At the end of its run, M outputs a bit b'
attacker to impersonate the party at will. (as its guess for b).
An attacker that is allowed test-session queries
Three Components in CK Model is referred to as a KE-adversary.
Definition 2: Session-key security. A KE
• The unauthenticated–links adversarial protocol p is called session-key secure (or SK-
model (UM): UM is the real network environ- secure) if the following properties hold for any
ment, the attacker in this model is an active KE-adversary M:
one. It has all the attack ability mentioned
previously. 1. Protocol p satisfies the property that if two
• The authenticated-links models (AM): uncorrupted parties complete matching ses-
TheadversarialmodelcalledAMisdefined sions then they both output the same key;
in a way that is identical to the UM with and
one fundamental difference: The attacker is 2. The probability that M guesses correctly the
restricted to only delivering messages truly bitbi. ( e.outputs
, b'=b)isnomorethan2/1
generated by the parties without any change plus a negligible fraction e in the security
or addition to them. parameter. e is called “advantage.”
• Authenticators: Authenticators are special
algorithms which act as automatic “compli- the universal composable Model
ers” that translate protocols in the AM into
equivalent (or “as secure as”) protocols in Universally composable security is a framework
the UM. Now there are two kinds of au- fordefiningthesecurityofcryptographicprotocols
thenticators, one is based on the public key (Canetti, 2001). In this framework, an uncorrupt-
digital signature, the other one is based on able ideal functionality F which can provide a
~
the message authentication code (Bellare et certain service, a set of dummy parties P and an
al., 1998). ideal adversary S are defined respectively. Only
~
the dummy parties P and ideal adversary S can
WiththeCKmodel,onecanfirstlydesign andideal functionality F, each dummy party
access
analyze a protocol in AM, then transforms these can not communicate directly with the others, and
protocols and their security assurance to the real- the ideal adversary can corrupt any dummy party
istic UM by using an authenticator. at any time. The ideal adversary S is informed of
when a message is sent, but not of the content, it is
Definition of Session-Key Security allowed to delay the delivery of such a message, but
not change its content. On the other hand, an actual
In addition to the regular actions of the attacker protocol p that can achieve the special service, a
M against a KE protocol p, he/she can perform set of real parties P, and a real-world adversary A
a test session query. That is, at any time during arecorrespondinglydefined.Eachrealpartycan
its run, M is able to choose, a test-session among communicate with the others directly and the real-
the sessions that are completed, unexpired, and world adversary A can control all communications
unexposed at the time. Let k be the value of the among them, meaning that A can read or alter all
corresponding session key. We toss a coin b, b messages among the real parties, what is more, A
← {0,1}. If b =0weprovideM with the value
R can also corrupt any real party at any time. An
k. Otherwise we provide M with a value r randomly environment Z is defined in the UC framework
chosen from the probability distribution of keys that can simulate the whole external environment;
The Provably Secure Formal Method
The Provably Secure Formal Method
HYBFp, A, ≈ F
, HYBp A,Z , I
entities, is called an authentication and key-agree-
ment (AKA) protocol.
Definition 8: Key confirmation (Menezes
Protocol p is said to have the ACK property if
et al., 1996). Key confirmation is the property
there exists a good internal state simulator for p.
whereby one party is assured that a second (pos-
sibly unidentified) party actually has possessio
• Theorem 1: Let p be a KE protocol that has
of a particular secret key.
the ACK property and is SK-secure; then p
Definition 9: Explicit key authentication
is UC-secure (Canetti & Krawczyk, 2002).
(Menezes et al., 1996). Explicit key authentication
is the property obtained when both (implicit) key
authenticationandkeyconfirmationhold.
sEcurIty AnAlysIs of tHE A key-agreement protocol which provides
cAnEttI-krAwczyk ModEl explicit key authentication to both participating
entities is called authenticated key agreement
In the past 20 years, researchers have made a lot with key confirmation (AKC) protocol (Menezes
of efforts in designing and analyzing KE protocols et al., 1996).
(DiffieHellman,
& Diffie,
; 6 79 1 VanOorschot,& A secure key-agreement protocol should be
Wiener, 1992; Krawczyk, 1996; Shoup, 1999), they able to withstand both passive attacks and active
realize that the potential impact of the compromise attacks. In addition to implicit key authentication
of various types of keying material in a key-agree- and key confirmation, a number of desirable - se
ment protocol should be considered, even if such curity attributes of key-agreement protocols have
compromise is not normally expected (Menezes been identified (Law, Menezes, Qu, Solinas, &
et al., 1996). So some desirable security proper- Vanstone, 1998).
ties that a key-agreement protocol should have are
identified.Suchsecuritypropertiesinclude perfect
1. (Perfect) forward secrecy: If long-term
forward security (PFS), loss of information, known- private keys of one or more entities are com-
key security, key-compromise impersonation, promised, the secrecy of previous session keys
unknown-key share, key control, and so on. established by honest entities is not affected
The main goal of the CK model is to design (Menezes et al., 1996).
and analyze key-agreement protocols. Then what 2. Loss of information: Compromise of other
is the relationship between the CK model and the information that would not ordinarily be
desirable security attributes for a key-agreement available to an adversary does not affect the
protocol?Thisisthemainmotivation - ofthis sec
security of the protocol. For example, in Dif-
tion. fie-Hellman type protocols, security is not
ss
comprised by loss of i j (where Si represents
Properties of key-Agreement entity i’s long-term secret value) (Blake-Wil-
Protocols son, Johnson, & Menezes, 1997).
3. Known-key security: A protocol is said
Definition 7: (Implicit) key authentication to be vulnerable to a known-key attack if
(Menezes et al., 1996). Key authentication is the compromise of past session keys allows either
property whereby one party is assured that no a passive adversary to compromise future
other party aside from a specifically identified session keys, or impersonation by an active
second party and ( possibly additional identified
adversary in the future (Law et al., 1998).
trusted parties) may gain access to a particular 4. Key compromise impersonation: Suppose
secret key. A’s long-term private key is disclosed. Clearly
A key-agreement protocol, which provides an adversary that knows this value can now
implicit key authentication to both participating impersonate A, since it is precisely this value
The Provably Secure Formal Method
thatidentifies A. However, it may be desirable to investigate the security properties of PFS and
that this loss does not enable an adversary to known-key security.
impersonate other entities to A (Law et al.,
1998). Advantages and disadvantages of
5. Unknown key-share: Entity A cannot be co- the ck Mode
erced into sharing a key with entity B without
A’s knowledge, that is, when A believes the Advantages of the CK Model
key is shared with some entity C ≠ B, and B
(correctly) believes the key is shared with A Why is the CK Model Applicable for Designing
(Law et al., 1998). and Analyzing Key-Agreement Protocols?
6. Key control: Neither entity should be able to First, the indistinguishability between the session
force the session key to a preselected value key and a random number is used to achieve the
(Law et al., 1998). SK-security of a key-agreement protocol in the AM.
If an attacker can distinguish the session key from
the relationship between the a random number with a non-negligible advantage,
ck Model and the desirable secure a mathematics hard problem will be resolved. Ac-
Attributes cording to the reduction to absurdity, a conclusion
can be gotten: no matter what methods are used
• Theorem 2: A key-agreement protocol designed by the attacker (except party corruption, session
and proved secure by the CK model offers state reveal and session key query), he/she cannot
almost all the desirable security properties distinguish the session key from a random number
mentioned above except key control (Li, Ma, with a non-negligible advantage. So the protocol
& Moon, 2005). designed and proved secure by the CK model can
resist known and even unknown attacks.
The Relationship Between the Security Second, the CK model employs authenticators
Attributes and the Two Requirements of to achieve the indistinguishability between the
SK-Security protocol in the AM and the corresponding one in
the UM. Through this method, the consistency
In the CK model, some security attributes can be requirementofSK-securityissatisfied.
ensured by the first requirement of SK-security, From the previous analysis, it can be seen that
while others by the second requirement. In the fol- this model is a modular approach to provably
lowing, Theorem 3 and Theorem 4 are presented secure protocols. With this model, we can easily
for a detailed explanation: get a provably secure protocol which can offer
almost all the desirable security attributes. And
• Theorem 3.Thefirstrequirementof-SK-secu the CK model has the composable characteristic
rity guarantees a protocol to resist imperson- and can be used as an engineering approach (Bel-
ation attacks and unknown key-share attacks lare & Rogaway, 1993; Mitchell, Ward, & Wilson,
(Li et al., 2005). 1998). Therefore, it is possible to use this approach
without a detailed knowledge of the formal models
• Theorem 4. The second requirement of SK- and proofs, and is very efficient and suitable for
security guarantees a protocol to offer PFS, applications by practitioners.
known-key security (Li et al., 2005).
Disadvantages of the CK Model
It should be noticed that the first requirement
is the precondition of SK-security. Only under Though the CK model is suitable for the design
the consistency condition, does it make sense and analysis of key-agreement protocols, it still
has some weaknesses as follows:
The Provably Secure Formal Method
1. The CK model cannot detect security weak- protocol. But this model still has weaknesses. So
nesses that exist in key-agreement protocols, when the CK model is employed to design a key-
however some other formal methods have this agreement protocol, we should pay attention to the
ability, such as the method based on logic possibleaws fl intheprotocolthatmayresultfrom
(Burrows, Abadi, & Needham, 1990) and the weaknesses of CK model.
the method based on state machines (Tin,
Boyd, & Nieto, 2003). But the CK model
canconfirmtheknownattacks,that is,this
A unIvErsAlly coMPosAblE
model can prove that a protocol that has been AnonyMous HAsH cErtIfIcAtIon
foundaws fl isnotSK-secure. ModEl
2. In the aspect of the forward secrecy, the CK
model cannot guarantee that a key-agreement TheessenceanddifficultyofUCsecurityprotocol
protocol offers forward secrecy with respect design lays in the formalization and abstraction
to compromise of both parties’ private keys; of a perfect ideal functionality which can be real-
it can only guarantee the forward secrecy of ized securely. We consider the special security
a protocol with respect to one party. In ad- requirements for ideal anonymous authentication,
dition, in ID-based systems this model lacks definethesecuritynotionsforthem,andrealizean
the ability to guarantee the key generation anonymous hash certification ideal functionali
center (KGC) forward secrecy because it does FCred in a universally composable security sense,
not fully consider the attacker’s capabilities andpresentamoreuniversalcertificateCAmodel
(Canetti & Krawczyk, 2002). FHCA (Canetti, 2004), which can issue anonymous
3. From Theorem 2, we know that protocols hashcertificates.
which are designed and proved secure by the
CK model cannot resist key control, which
Anonymous Hash Certification Ideal
isnotfullyconsistentwiththedefinitionof
functionality FCred
key agreement (Blake-Wilson et al., 1997).
4. A key-agreement protocol designed and
We use Merkle tree to build the hash chain, which
proved secure by the CK model cannot be
is constructed from each leaf up to the root of
guaranteed to resist denial-of-service (DoS)
the tree. For each unit of the chain, it contains a
attacks. However DoS attacks have become a
value and an order bit which identities whether
common threat in the present Internet, which
the given value should be concatenated from the
have brought researchers’ attention (Burrows
left or the right.
et al., 1990; Meadows, 1996).
A hash chain is said to be valid under a
5. Some proofs of the protocols with the CK
collision-free hash function H if h0 = ho' and
model are not very credible because of the
hd' −1 = v , hi'−1 = H (hi ||hi' ) / H (hi' ||hi ) for o i = l/r,
subtleness of this model. For example, the
where i=d-1,d-2,…,1. It is written as isvalid(h)
Bellare-Rogaway three-party key-distribu-
= .1 We also define several other functions,
tion (3PKD) protocol (Bellare & Rogaway,
for instance, root(h) is to choose the root of a
1995) claimed proofs of security, but it is
hash chain, leaf(h) is to return the value of a
subsequentlyfoundaws fl Choo
( Hitchcock,
&
leaf node of path h, buildtree H (C) is to build
2005).
a Merkle tree with the values of set C, and
getchainT (e) is to capture the path of node e.
We know that a protocol designed and proved
secure by the CK model can offer almost all the
security attributes, and this model has the modular Security Requirements of FCred
and composable characteristics, so it is very practi-
calandefficientforthedesignofakey-agreement Definition 10. Let k be a security parameter
and e(k) be a negligible function on k. Let s be a
The Provably Secure Formal Method
then return
The Provably Secure Formal Method
3. Signatureverification
(Verify Cre
dential , ps , c, p j , invalid )
i
(Check Reuse, ps , c, yes ) 1. If q'= q and there exists the record (m, , ,1) ,
to ps. (end) set f = 1.
2. If q'= q, P has not yet been corrupted by S,
construction of uc-secure and there exists no record such that (m, ' , ,1)
Anonymous Hash Certification for ∀σ', set f = 0.
Protocol 3. If q' ≠ q and there exists the record (m, , ' , f ' ) ,
set f = f '.
In this section, we present a simple protocol 4. Else, set f = f, then records (m, , ' , ) .
that realizes FCred given FSIG, with the aid of ide-
ally authenticated communication with a “trusted • Hands (Verified,P,m,f ) to V. (end)
anonymoushashcertificateauthority.”Thisset-up
assumption is formalized as an ideal functional- Thentheanonymoushashcertificateauthorit
ity FHCA . Functionality FHCA is presented as follows.
Firstlywemodifythedefinition of
FSIG (Canetti,
2004; Michael & Dennis, 2004) as follows. 1. Key generation
Upon reception of the message (GenerateKey)
1. Key generation from ASU, send (KeyGen, ASU) to the adver-
sary S, upon receiving (Verification Key, ASU,
Upon reception of (KeyGen, P) from P: encryption key, k) from S, records (ASU, v, k)
and return (Verification Key, ASU, v).
• Sends (KeyGen, P) to the adversary S. 2. Identity Encryption
• After receiving the message (Verifica - Upon reception of the message (Identity encryp-
tionKey, P, q) from S, records (P, q) and tion, pi) from pi, proceed as follows:
sends (VerificationKey, q)P,to P. 1. Verify that pi is in the member list. If
not, return (Not A Member, pi) and quit.
2. Signature generation 2. Else, send (Identity encryption, pi) to the
adversary S, receive the encryption
Upon reception of (Sign, P, m) from P: identity c of pi, return (Encrypted identity,
pi, c).
• Sends (Sign, P, m) to S. 3. Credential generation
• After receiving the message Upon reception of the message (Credential
(Signature, P, m, σ) from S, looks for generation, pi, (c, pi, k, z)) from pi, send this
the record (m, , , 0 ). If it is found, sends message to the adversary, and wait for an OK
an error message to P and halts. Else, sends from the adversary. Then, Store credential e =
( Signature, P, m, ) to P and then records (c, pi, k, f) into set Ct, return (S, New Credential,
(m, , , 0 ). pi) and (pi, New Credential, c, z) to S.
The Provably Secure Formal Method
8. Reveal ID (c, z , k1 , k2 , h, , p j1 , p j2 ) ,
Upon reception of the message (Reveal ID, ASU, 2. It executes
c) fromASU,findacredential (c, p, ., .) in set ~
0
The Provably Secure Formal Method
S
Z’
~ P1 ~
P0 P0 P1
S
A
FCr ed
The Provably Secure Formal Method
SimulatingVerifyCredential If A corrupts
~
a patty pi, then S corrupts the
1. If a message ~ same party Pi in the ideal process
~
and hands A the
(VerifyCredential , pi , c, z , k , p j , h ', , v) internal data of that party Pi.
arrives from FCred, it proceed as follows.
2. Send the message As for the other operations, like Check Reuse,
(Check exist of credential , pi ,(c, pi , k , h)) becausetheirdefinitionsareidenticalinthei
to A from FHCA. If the message from FHCA is functionality and real protocol, it is no use for them
not OK, send to be simulated for A.
(VerifyCredential , pi , c, p j , invalid ) t o As the simulation is perfect and the proof is
FCred and quit. direct, the proof procedure can be referred to Fan,
3. Else check the path, if h ' ≠ h, then send JianFeng, & Moon, 2007).
(VerifyCredential , pi , c, p j , invalid )
to FCred and quit.
4. El s e , ve r i f y t h e sig n a t u r e , s e n d tHE sEcurIty AnAlysIs of
(Verifypi , root (h), , v) to A (i n t he four-wAy HAndsHAkE In 802.11I
name of)FSIG, upon receiving the message wItH tHE ck ModEl And uc
(Verifiedpi , root (h), ) from A, ModEl
(1) If the entity (root (h), ,1) is recorded, set
WLANcanprovidegreatexibility fl fortheusers.
f = 1.
However, security is always a serious concern
(2) Else, if the signer is not corrupted, and
because of the openness of wireless medium for
no entry (root (h), ' ,1) for any 'is re-
public access within a certain range. To solve the
corded, then set f = 0 and record the entry
security problems of WLAN, the IEEE 802.11 has
(root (h), ,0).
designed a new security standard, which is called
(3) Else, if there is an entry (root (h), , f ' )
IEEE 802.11i (IEEE P802.11i D3.0, 2002). In this
recorded , then let f = f .
'
standard, a concept of robust security network
(4) Else, let f = 0 and record the entry
(root (h), , ). has been proposed. In addition, an authentica-
tion mechanism based on EAP/802.1X/RADIUS
If f = 0, send
(Aboba & Simon, 1999; 802.1X-2001, 2001;
(VerifyCredential , pi , c, p j , invalid )
Rigney, Willens, Rubens, & Simpson, 2000) has
toFCred and quit.
been developed to replace the poor open system
authentication and shared-key authentication in
5. Else, verify the validity of the creden-
WEP (Borisov, Goldberg, & Wagner, 2001). As
tial,
a long-term solution to secure wireless links, the
(1) If pi is not corrupted,
latestIEEEstandardi 1 2.08 hasbeenratifiedon
(a) Send message
June 24, 2004.
(Check prepared credential , pi ,(c, p j ))
The four-way handshake (in short, 4WHS) pro-
to A from FHCA.
tocol in 802.11i plays a very important role in the
(b)If ~ the FHCA message fromis not OK
authentication and key-agreement process. Some
or k ≠ km, send to FCred the message
works have been done on its security analysis. In
(VerifyCredential , pi , c, p j , invalid ) and
Changhua and Mitchell (2004) the authors analyzed
quit. ~
the four-way handshake protocol using a finite-
(2) Else if H (k ) ≠ zm, send (VerifyCredential,
stateverificationtoolandfindaDoSattack.The
Pi, C, Pj, invalid) to FCred and quit.
attack involves forging initial messages from the
O t h e r w i s e r e t u r n
authenticator to the supplicant to produce incon-
(VerifyCredential , pi , c, p j , valid ) to FCred . sistent keys in peers. However the repair proposed
by the authors involves only a minor change in the
Simulating party corruptions
The Provably Secure Formal Method
The Provably Secure Formal Method
The Provably Secure Formal Method
Since the first case happens with probability Proof. To prove the ACK property for 4WHS
1
, we construct the following internal state simula-
L
tor I. Recall that before 4WHS actually generates
while the second case happens with probability output, the local state of the pi infirst
the party (
1- 1 , aforementioned description) consists of (k1, k2,s,
L
pi, pj). The internal state of the other party (pj in
the overall probability of D to guess correctly is the aforementioned description) is identical (its
1
internal state, like k0, has been erased). The output
1
PR=+L).50 ( + + 0.5 × (1- )=+.50 L of I, given (k1, s, pi, pj) will be l pi=l pj=(k1, rI, s,pi,
L L
pj), where rI is a random value of the same length
Thus D succeeds in distinguishingfromwith as k2. (Consequently, when the internal states of
non-negligible advantage, which is confl ict
pi and toreplaced with l pi and lpj respectively,
pj are
the Assumption that the pseudorandom function the added protocol message will be computed and
is secure. So the protocol 4WHSAM satisfies the verifiedMAC as RI (s, ri) rather than MACK 2 (s,
property2ofDefinitionSK-security. ri). Next we proof that I is a good internal state
Thus the protocol 4WHSAM is SK-secure without simulator.
PFS in the AM. # Le F be an ideal functionality which can se-
curely realize key exchange and A be an adversary.
Authenticator 9 prf If I is not a good internal state simulator, then
the environment Z can distinguish between an
Theorem 7. Assume that the pseudorandom func- interaction with A and 4WHS and an interaction
tion and MAC in use are secure against chosen with A and the above transformed protocol(replace
message attacks. Then protocol prf
emulates9 the internal states of pi and pj with the outputs of
protocol MT in unauthenticated networks. (Fan I) with a non-negligible advantage . The only
et al., 2007). difference between the protocol resultant from
the aforementioned transformation and 4WHS is
the security Analysis of four-way the replacement of k2 with rI. So if I is not a good
Handshake Protocol in the uM internal state simulator, then Z can distinguish
between rI and k2 with a non-negligible advantage.
We have proved that the protocol 4WHSAM is SK- If the adversary can distinguish between k2and a
Secure without PFS in the AM, and the protocol random value with a non-negligible advantage,
9 prf is a MT-Authenticator, thus we get the result where k2=sec ond n2(k0), then he/she can distinguish
of security analysis of 4WHS in the UM. between k0 and a random value with a non-negli-
Theorem 8. If the pseudorandom function and gible advantage. As we have proved that 4WHS is
MAC function in use are secure against chosen SK-secure, thus the adversary cannot distinguish
message attacks, protocol four-way handshake is between k1 (k1= firstn1 (k0) ) and a random value
SK-Secure in the UM. with a non-negligible advantage, well then he/she
cannot distinguish between k0 and a random value
with a non-negligible advantage, which reaches a
the four-way Handshake Protocol is
contradiction. So the environment Z cannot distin-
uc-secure
guish between an interaction with (A, 4WHS) and
(A, the transformed protocol) with a non-negligible
We have proved that 4WHS is SK-secure. Accord-
advantage, thus we have
ing to Definition ,6 now we prove that it hasFthe
HYB ,A,Z ≈ HYB F ,A,Z,I and I is a good internal
ACKproperty,thusalsosatisfiesthedefinition of
statesimulatorforWHS. 4 AccordingtoDefinition
UC-secure.
6 and theorem 1, we know that 4WHS has the ACK
Theorem 9. The protocol 4WHS has the ACK
property and is UC-secure. #
property.
The Provably Secure Formal Method
According to Theorems 8, 9, and 1, we get security is undoubtedly the focus. But as far as
Theorem 10. we know, up to now, there are no articles that
systemically analyze the security of WAPI and
• Theorem 10: If the pseudorandom func- its implementation plan, which is imperfect for a
tion and MAC function in use are secure national standard. This contribution discusses the
against chosen message attacks, proto- security of WAPI and its implementation plan with
col four-way handshake is UC-Secure. the CK model. It has three contributions: (1) the
# security weaknesses of WAI in WAPI are given;
(2) the WAI module in the implementation plan
is proved secure in the CK model; and (3) how
tHE sEcurIty AnAlysIs of the implementation plan overcomes the security
cHInEsE wlAn sEcurIty weaknesses of the original WAPI is pointed out.
stAndArd wAPI wItH tHE ck The analysis results can help us understand the
necessity of the implementation plan and enhance
ModEl
the confidence of it. At the same time, as a case
study, their analysis is helpful for the design of a
The Chinese WLAN standard WAPI (GB 15629.11-
secure key-agreement protocol.
2003) (National Standard of the People’s Republic
ofChina,the, ) 302 firstissuedChinesestandardin
thefieldofWLAN,hasbeenformallyimplemented wAIs in wAPI and its Implementation
since November 1, 2003. WAPI is composed of two Plan
parts: WAI and wireless privacy infrastructure
(WPI). They realize the identity authentication and WAI adopts port-based authentication architecture
data encryption, respectively. In March of 2004, that is identical with IEEE 802.1X. The whole sys-
China IT Standardization Technical Committee tem is composed of mobile guest STA, access point
drafted out a new version, WAPI implementation (AP), and authentication service unit (ASU).
plan (National Standard of the People’s Republic of
China, 2004), which improves the original standard WAI in WAPI
WAPI. Compared with the original standard, the
greatest change the implementation plan made lies The interaction procedure of WAI in the original
in the WAI module. national standard WAPI is shown in Figure 4.
As a national standard which is about to be Fromthisfigure,wecanseethatWAIiscomposed
deployed and implemented on a large scale, its of two parts: certificate authentication and k
agreement.
A uthentication A ctivation
The Provably Secure Formal Method
1. Certificate authentication. In this process, 1. In the implementation plan, the key agreement
stationSTA) ( sendsitspublickeycertificate request has to be initiated by AP. At the same
and access request time to the access point time, the secure parameter index SPI, AP’s
(AP) in the access authentication request. signature on the encrypted random value and
AP sends its certificate, STA’s certificate, SPI are included in this request. The signature
STA’s access request time, and its signature algorithm is ECDSA.
on them to authentication service unit (ASU) 2. In the key agreement response, SPI and the
in certificate authentication request. STA’s MACAfteron encrypted random and SPI
ASU validates AP’s signature and the two are included. The MAC is computed through
certificates,itsendsthecertificates validation
HMAC-SHA256 algorithm.
result, STA’s access request time, and ASU’s 3. The keys derivation method is different. STA
signature on them to STA and AP. andAPfirstcalculatethe ⊕r2, key
k= rhost
11
2. Key agreement. then extend k with KD-HMAC-SHA256
algorithm to get the session key kd, the
Figure5.ThekeyagreementintheWAIofWAPI authentication key ka and integration check
key.
The Provably Secure Formal Method
Figure6.Thekey-agreementprotocolinWAIoftheimplementationplan
SPI=the MAC of the STA||the BSSID of the AP||the time of authentication request
Let us analyze this attack in the CK model. In to get r2 . Then he/she can get the session key of
the previous attack, the KE-adversary chooses the test session: k= r1 ⊕ r2. Thus the attacker can
the session in STA as the test session and expose impersonateAPtoSTA.AccordingtoDefinition
the session in AP (because these two sessions are 2, this protocol is not SK-secure.
not matching sessions, the session in AP can be
exposed). Because STA and AP get a same session 3. It does not realize the explicit identity
key, the KE-adversary can completely get the ses- authentication of STA and perhaps lead
sionkeyofthetestsession.AccordingtoDefinition to the faulty charge.
this
2, protocolisnotSK-secure.AndDiffieetal.
(1992) can be referred to for the consequences of From the WAI process, we can see that it does
this attack. not realize the explicit identity authentication of
STA to AP. An attacker can pass the certificate
2. Its key agreement protocol cannot resist authentication and access the networks only if
key-compromise impersonation (KCI) he/she gets a legal user’s certificate, which will
attack. lead to the faulty charge if the networks charge
the fee according to the access time.
Let us analyze this attack in the CK model.
First, we assume that STA’s private key is com- the security Analysis of wAI in the
promised and the attacker chooses the session in Implementation Plan
STA as the test session after STA complete the
matchingsessionswithAP.Theattacker cancertificate
Inthe first authentication, - APmakessigna
corrupt another mobile guest STA’ and imperson- tureinthecertificateauthenticationreque
ates him/her to send message ENC(PK AP, r1) to ASUmakessignatureinthecertificateauthentic
AP. We denote the session between STA’ and AP tion response. Both these signatures include STA’s
as SID’. When AP receives this message from access request time which ensures the freshness
STA’, he/she chooses another random value r3 of the signatures. Therefore ASU can authenticate
and responds with ENC(PKSTA’, r3). AP computes AP’s identity and STA can authenticate ASU’s
its session key of SID’ k’= r 1 ⊕ r3. The attacker identity. In addition, STA trusts ASU. So STA can
can expose this session and get k’ (this session is authenticatetheidentityofAPafterthecerti
not the matching session of the test session). In authentication. At the same time, AP authenticates
addition, the attacker can decrypt ENC(PKSTA’, r3) thecertificateprovidedbySTA.
to get r3. Thus he/she can get r1= k’ ⊕ r3. In addi- The key-agreement protocol in WAI of imple-
tion, the attacker can also decrypt ENC(PKSTA, r2) mentationplanisdenotedby.Inthefollowing,
The Provably Secure Formal Method
The Provably Secure Formal Method
that the attacker can forge an acknowledgment a random value with a non-negligible advantage.
message with a non-negligible probability dur- Based on this ability, B also can distinguish k '' =
ing the run of the protocol . That is, he/she r1 ⊕ rcan
from a random value with a non-negligible
choose a random value (say r3) and forge a message advantage. This is because r in the k '' is selected
authentication code that AP can validate. Then B bytheattackerhimself,whichmakesthedifficulty
takes advantage of this ability to run the game that he/she distinguishes k '' from a random value
above. In Phase 1, he/she also chooses r3 as the no bigger than that he/she distinguishes k from a
random value r in the triple, while selects c and t random value. It is assumed that the advantage
randomly. Then, in Phase 2, he/she can work out that B distinguishes k"fromarandomvalue2is , 5
HMAC-SHA256k '' (t * )because this value is same as then ≥2 5 5 1. And because ka'' = last(KD-HMAC-
a ''
the forged message authentication code in the key SHA256( k '' ), B can get ka . Further, he/she can work
agreement acknowledgment. Therefore the attacker out HMAC-SHA256k '' (t * ) with a non-negligible
a
can distinguish HMAC-SHA256k '' (t * ) from s* and probability, which enables the attacker to win
a
guess correctly b in Phase 4, thus wins the game, the encryption game. That means the encryption
which indicates that the encryption scheme is not scheme is not secure against CCA2 attack. This
CCA2-secure. This contradicts with the presup- contradicts the presupposition. So the attacker B
position.Soduringtherunoftheprotocol can not,the get k with a non-negligible probability.
attacker cannot forge a key agreement acknowledg- Then this method is not practical.
ment with a non-negligible probability. As for the second method, there are two strate-
Therefore STA and AP will complete matching gies that the attacker can take. (1) After STA and
sessions and get a same session key at the end of AP complete the matching sessions, the attacker B
protocol,ifENCisCCA2-secure. # establishes a new session with AP or STA. But the
Lemma 2. If the encryption scheme ENC is session key of this session will not be kd, because
secure against the CCA2 attack, the attacker can- the encrypted random value is chosen randomly
not distinguish the session key kd from a random by AP or STA. (2) When AP and STA perform
value with a non-negligible advantage. the key agreement, B intervenes this negations
Proof. It is assumed that the attacker B can and makes them get a same session key without
distinguish the session key kd from a random the completion of the matching sessions. That is,
value with a non-negligible advantage 1 . In the STA and AP get a same session key but they do not
CK model, the KE-attacker is not permitted to complete matching sessions. Then the attacker can
corrupt the test session or its matching session, get the test session key by breaking the unmatching
so the attacker B cannot directly get the session session that has the same session key. But from
key kd from the attack of . While kd = first
(KD- Lemma 1, we know that if the encryption scheme
HMAC-SHA256(k)) (The first ( ) is a function that ENC is secure against the CCA2 attack, B cannot
extractsoutthefirstsixteenbytesfrom abit
succeed instring) ,
this intervention. So this method is not
so the attacker B has only two possible methods feasible either.
to distinguish kd from a random value. The firstLet us sum up the previous analysis. The attacker
one: B learns k. The second one: B succeeds in B neither can get the host key k, nor can he/she
forcing the establishment of a session (other than force to establish a new session with STA or AP
the test session or its matching session) that has that has the same session key as the test session.
the same key as the test session. In this case B can So the attacker cannot distinguish the session key
learn the test session key by simply querying the kd from the random value with a non-negligible
session with the same key, and without having to advantage. #
learn the value k. In the following, we prove that
neither of these two methods is feasible. Theorem 11. If the encryption scheme ENC
The first method means that, from the attack adopted is secure against CCA2 attack, then is
ofthe
, attackercandistinguish k"= r1 ⊕ r from SK-secure without PFS.
0
The Provably Secure Formal Method
Proof. According to Lemma 1 and Lemma 2, plan can resist the UKS attack are that: (1) the
we know that STA and AP will get a same ses- implementation plan requires that the key agree-
sion key after the key agreement and the attacker ment request be sent from AP; (2) AP’s signature
cannot distinguish the session key from a random includes SPI which includes the destination entity’s
value with a non-negligible advantage. Then in address.
accordance with Definition 2, the protocol 2. Theis key-agreement protocol in the WAI of
SK-secure. the implementation plan can resist the KCI
In addition, if the private keys of STA and AP attack. KCI attacks for the protocol have two
are compromised, the attacker can get the random manners.ThefirstoneisthatAP’sprivatekeyis
values exchanged and can work out all the ses- compromised and the attacker can impersonate
sion keys that have been agreed about. Thus this STA to AP. The second one is that STA’s private
protocol cannot provide PFS. So we can get that key is compromised and the attacker can imperson-
the key-agreement protocol is SK-secure without ate AP to STA. In the following, we will discuss
PFS. # these two cases respectively.
If AP’s private key is compromised, the attacker
the Implementation Plan overcomes can decrypt ENC(PK AP, r2) to get r2. In order to
the weaknesses of the original wAPI get r1, he/she just has two possible methods: (1)
attacks the encryption algorithm ENC; and (2)
We know that WAI in the original WAPI has some impersonates other entity to establish another ses-
security weaknesses. But WAI in the implementa- sion with STA, and sends ENC(PKSTA,r1) to STA,
tion plan is secure in the CK model, and according then the attacker exposes this session and gets r1
to Li et al. (2005), we get that the WAI module of through some computations. But neither of these
the implementation plan can resist KCI attack and two methods isfeasible.Forthefirstmethod,we
UKS attack. In the following, we will analyze how know that if the encryption algorithm ENC is
the implementation plan overcomes the security CCA2 secure, the attacker cannot get r1 from the
weaknesses in the original WAPI. attack of this algorithm directly. As for the second
1. The key-agreement protocol in the imple- method, the implementation plan requires the key
mentation plan can resist UKS attack. In the agreement request be sent by AP, and the attacker
implementation plan, even though the attacker cannot forge AP’s signature, so the attacker can-
Bgetsacertificateinwhichhis/herpublic keyis other entity to establish another
not impersonate
the same as STA’s or AP’s, he/she cannot launch session with STA. Therefore the attacker cannot
the UKS attack. Because the implementation plan get r1. Then he/she still cannot get the host key k
requires that the key agreement request be sent and session key kd .
by AP, STA just accepts the request from AP. So, If STA’s private key is compromised, the at-
B can just launch the UKS attack against the AP tacker can decrypt ENC(PKSTA,r1) to get r1. In order
(i.e., AP thinks that he/she agrees upon a key with to get session key r2, he/she just has two possible
B, but in fact he/she negotiates a key with STA, methods: (1) attacks the encryption algorithm ENC
while STA correctly thinks that he/she negotiates directly to get r2; and (2) impersonates another
a key with AP), that is, B just can forward the mobile guest STA’ to establish a new session with
key agreement request message for him/her to AP and sends it ENC(PK AP, r2) in the key agreement
STA. But in this request, AP’s signature includes acknowledgement. From the previous analysis we
SPI which includes the MAC address of the B , so get that the first method is infeasible. As for th
STA will not accept this request forwarded from second method, because r2 and the host key k are
B. Therefore the key-agreement protocol in WAI of just the ephemeral values, we assume that they are
implementation plan can resist the UKS attack. not the session states of AP. Therefore, the session
From the previous analysis, we can see that the states of the new session in AP are just the session
*
essential reasons that WAI in the implementation key kd*, the message authentication key ka and the
The Provably Secure Formal Method
The Provably Secure Formal Method
Blake-Wilson, S., Johnson, D., & Menezes, A. Choo, K. K. R, & Hitchcock, Y. (2005). Security
(1997). Key agreement protocols and their se- requirement for key establishment proof models:
curity analysis. In Proceedings of the sixth IMA Revisiting Bellare-Rogaway and Jeong-Katz-Lee
international Conference on Cryptography and protocols. In Proceedings of the 10th Australasian
Coding. Conference on Information Security and Pri-
vacy—ACISP.
Borisov, N., Goldberg, I., & Wagner, D. (2001).
Intercepting mobile communications: The inse- Diffie,W.Hellman,
&, M.New
. 6) 7 9 1 ( directions
curity of 802.11. In Proceedings of the 7th Annual in cryptography. IEEE Transactions on Information
International Conference on Mobile Computing Theory, 22, 644-654.
and Networking, Italy.
Diffie,W.Van
, Oorschot,P.Wiener,
&, M..) 29 1 (
Brown, D. R. L. (2001). The exact security of Authentication and authenticated key exchanges.
ECDSA (IEEE 1363). Designs, Codes and Cryptography, 2, 107-125.
Burrows, M., Abadi, M., & Needham, R. M. (1990). Fan, Z., JianFeng, M., & Moon, S. (2007). A
A logic of authentication. ACM Transactions on universally composable anonymous- hash certifi
Computer Systems, 8(1), 122-133. cation model. Science in China (F serial)(3), 05
440-445.
Burton, S., & Kaliski, J. R. (2001). An unknown
key-share attack on the MQV key agreement Güther, C. G. (1990). An identity-based key-ex-
protocol. ACM transactions on Information and change protocol. In Advances in Cryptology-EU-
System Security, 4(3), 275-288. ROCRYPT’89 (LNCS 434, pp. 29-37). Springer-
Verlag.
Canetti, R. (2001). Universally composable secu-
rity: A new paradigm for cryptographic protocols. IEEE 802.1X-2001. (2001). IEEE standard for lo-
In Proceedings of the 42th IEEE Annual Sympo- cal and metropolitan area networks—Port-based
sium on Foundations of Computer Science (pp. network access control.
136-145).
IEEE P802.11i D3.0. (2002). Specification for
Canetti, R. (2004). Universally composable signa- enhanced security.
ture,certification,andauthentication. Proceed- In
Krawczyk, H. (1996, February). SKEME: A
ings of 17th IEEE computer security foundations
versatile secure key exchange mechanism for In-
workshop (CSFW) (pp. 219-245). IEEE Computer
ternet. In ProceedingoftheInternet 69 1 Society
Society Press.
Symposium on Network and Distributed System
Canetti, R., & Krawczyk, H. (2001). Analysis of Security (pp. 114-127).
key exchange protocols and their use for building
Krawczyk,H.HMQV:
. )502 ( Ahigh-performance
securechannels.InB.Pfitzmann (Ed.,)
Advances
secure Diffie-Hellman protocol. In in
Advances
in cryptology—EUROCRYPT 2001 (LNCS 2045,
Cryptology–CRYPTO : 502th Annual Inter-
pp. 453-474) Berlin, Germany: Springer-Verlag.
national Cryptology Conference (LNCS 3621, pp.
Canetti, R., & Krawczyk, H. (2002). Universally 546-566). Springer-Verlag.
composable notions of key exchange and secure
Law, L., Menezes, A., Qu, M., Solinas, J., &
channels. In Proceedings of Eurocrypt 2002.
Vanstone, S. .) 89 1 ( An efficient protocol for
Changhua, H., & Mitchell, C. J. (2004, October 1). authenticated key agreement (Tech. Rep. CORR
Analysis of the 802.11i 4-way handshake. In Pro- 98-05). Ontario, Canada: University of Waterloo,
ceedings of ACM Workshop on Wireless Security, Department of Combinatorics & Optimization.
WiSe’04, Philadelphia, PA.
The Provably Secure Formal Method
Li, X., Ma, J., & Moon, S. (2005). On the security Rigney, C., Willens, S., Rubens, A., & Simpson,
of Canetti-Krawczyk model. (LNAI 3802, pp. 356- W. (2000). Remote authentication dial in user
363). Springer-Verlag. service (RADIUS) (RFC 2865). Retrieved from
http://www.ietf.org/rfc/rfc2865.txt
Martin, A., & Phillip, R. (2002). Reconciling two
views of cryptography. Journal of Cryptology, Shoup, V. (1999). On formal models for se-
5 1 (2), 103-127. cure key exchange. Theory of Cryptography
Library. Retrieved from http://citeseer.ist.psu.
Meadows,C.Formal
. )6 9 1 ( verificationofcrypto -
edu/cache/papers/cs2/769/http:zSzzSzeprint.iacr.
graphic protocols: A survey. In Proceedings of the
orgzSz1999zSz012.pdf/shoup99formal.pdf
AdvancesinCryptology,Asiacrypt’9 6
(LNCS1163,
pp. 135-150). Springer-Verlag. Tin, Y. S. T., Boyd, C., & Nieto, J. G. (2003).
Provably secure key exchange: An engineering
Menezes, A., Van Oorschot, P., & Vanstone, S.
approach. In Australasian Information Security
(1996). Handbook of applied cryptography. In
Workshop 2003(AISW 2003) (pp. 97-104).
chapter 12. CRC Press.
Wenbo, M. (2004). Modern cryptography: Theory
Michael, B., & Dennis, H. (2004). How to break
and practice. Prentice-Hall, PTR.
and repair a universally composable signature func-
tionality. In Information security conference—ISC Yehuda, L. (2003). Composition of secure multi-
2004 (LNCS 3225, pp. 61-74). party protocols—A comprehensive study (LNCS,
2815). Springer-Verlag.
Mitchell C. J., Ward M., & Wilson, P. (1998). Key
control in key agreement protocols. Electronics
Letters, 34, 980-981.
National Standard of the People’s Republic of
kEy tErMs
China. (2003). Information technology—Telecom-
Acknowledgment (ACK) property: Let F an
munications and information exchange between
idealfunctionalityandlet beanSK-secureKE
systems—Local and metropolitan area networks—
protocol in the F -hybrid model. An algorithm I is
Specific requirements—Part : 1 Wireless LAN
said to be an internal state simulator for if for
medium access control (MAC) and physical layer
any environment machine Z and any adversary A
(PHY)specificationsGB ( . ) 30 2 - 1 . 9 2 6 5 1
we have HYB F , A,Z ≈HYB F ,A,Z,I
National Standard of the People’s Republic of
ProtocolissaidtohavetheACKpropertyif
China. (2004). Guide for GB 15629.11-2003 In-
thereexistsagoodinternalstatesimulatorf
formation technology—Telecommunications and
information exchange between systems—Lo- Composition Theorem: The key advantage of
cal and metropolitan area networks—Specific UC security is that we can create a complex protocol
requirements—Part 11: Wireless LAN medium from already designed sub-protocols that securely
access control (MAC) and physical layer (PHY) achieves the given local tasks. This is very impor-
specifications.and GB20-31 . 9265 1 Infor - tant since complex systems are usually divided
mation technology—Telecommunications and into several sub-systems, each one performing a
information exchange between systems—Local specifictasksecurely.Canettipresentedthisfea
andmetropolitanareanetworks—Specific - as therequire
composition theorem (Canetti, 2001). This
ments—Part 11: Wireless LAN medium access theorem assures that we can generally construct
control(MAC)andphysicallayer(PHY)specifi - a large size “UC-secure” cryptographic protocol
cations: Higher-speed physical layer extension in by using sub-protocols which is proven as secure
the 2.4 GHz band. in UC-secure manner.
The Provably Secure Formal Method
Chapter XVI
Multimedia Encryption and
Watermarking in
Wireless Environment
Shiguo Lian
France Telecom R&D Beijing, China
AbstrAct
Inawirelessenvironment,multimediatransmissionisoftenaffectedbytheerrorrate;d
powerorbandwidth;andsoforth,whichbringsdifficultiestomultimediacontentprotec
decade, wireless multimedia protection technologies have been attracting more and more researchers.
Among them, wireless multimedia encryption and watermarking are two typical topics. Wireless multi-
mediaencryptionprotectsmultimediacontent’sconfidentialityinwirelessnetwor
on improving the encryption efficiency and channel friendliness. Some means have been p
suchastheformat-independentencryptionalgorithmsthataretimeefficientcompare
ciphers; the partial encryption algorithms that reduce the encrypted data volume
information unchanged; the hardware-implemented algorithms that are more efficient
based ones; the scalable encryption algorithms that are compliant with bandwidth c
robust encryption algorithms that are compliant with error channels. Compared with wireless multimedia
encryption, wireless multimedia watermarking is widely used in ownership protection, traitor tracing,
content authentication, and so forth. To keep low cost, a mobile agent is used to partitioning some of
the watermarking tasks. To counter transmission errors, some channel encoding methods are proposed
to encode the watermark. To keep robust, some means are proposed to embed a watermark into media
data of low bit rate. Based on both watermarking and encryption algorithms, some applications arise,
such as secure multimedia sharing or secure multimedia distribution. In this chapter, the existing wireless
multimedia encryption and watermarking algorithms are summarized according to the functionality and
multimediatype;theirperformancesareanalyzedandcompared;therelatedapplication
and some open issues are proposed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Multimedia Encryption
Multimedia Encryption
Multimedia Encryption
and efficiency Cox ( et al.,.) 02Here, only the original copy. It is also named blind detection. On
ones related to wireless/mobile environment are the contrary, non-blind detection means that the
emphasized. original copy is required by the detection process. In
Security. Similar to an encryption algorithm, practical applications, especially in wireless/mobile
the construction of a watermarking algorithm environment, memory is limited, and thus blind
should consider the security against various at- or oblivious detection is preferred.
tacks (Kutter, Volosphynovskiy, & Herrigel, 2000;
Linnartz & Dijk, 1998; Petitcolas, Anderson, &
Kuhn, 1999). According to the attacker’s ability, tHE EncryPtIon AlgorItHMs
the attacks can be classified into several for wIrElEss types: MultIMEdIA
attack under the condition of knowing nothing
about the watermarking system, attack knowing Some encryption algorithms have been proposed
some watermarked copies, attack knowing the with respect to image, audio, speech, or video in
embedding algorithm, and the attack knowing wireless environment. These algorithms adopt
the watermark detector. Generally, some encryp- some means to meet wireless communication
tion operations are introduced to watermarking requirements. According to the functionality,
algorithms in order to keep secure. theencryptionalgorithmsareclassifiedintofo
Imperceptibility. Imperceptibility means that types: (1) format independent encryption, (2)
the watermarked media data have no difference format compliant encryption, (3) communication
with the original ones in perception. It is also compliant encryption, and (4) direct-operation
named transparency or fidelity. This makes sure encryption. The first type supports
supported
that the watermarked copy is still of high quality the media data of arbitrary format, the second
and suitable for practical applications. one combines the encryption operation with the
Robustness. Multimedia data are often pro- compression process, the third one considers the
cessed during transmission process, and some of transmission errors, and the fourth one supports
the processing operations are acceptable. Thus, some direct operations on the encrypted multimedia
the watermark should still be detected after these data. In the following content, they are introduced
operations. Generally, the robustness refers to the and analyzed in detail.
ability for the watermark to survive such opera-
tions including general signal processing opera- format Independent Encryption
tions filtering,
( noising, A/D, D/A, re-sampling,
recompression, etc.) and geometric attacks (rota- Format independent encryption algorithms regard
tion, scaling, shifting, transformation, etc.). For multimedia data as binary data and encrypt multi-
wireless/mobile multimedia, transmission errors mediadatawithoutconsideringofthefileformat
should also be considered, such as loss, delay, jit- Traditional ciphers (Mollin, 2006), such as DES,
ter, and so forth. IDEA, AES, RSA, and so forth, encrypt text or
Efficiency. Efficiency refers to both time - ef
binary datadirectlywithoutconsideringofthefi
ficiencyandenergy-consumptionefficiency. The
format. These ciphers have been included in the
watermarkingalgorithmwithhightime efficiency
protocols, IP security (IPsec) and secure socket
is more suitable for real time applications, such layer (SSL), and the package CryptoAPI, and these
as video-on-demand, broadcasting, per-per-view, protocols are also included in a multilayer security
and so forth. For some energy-limited devices, the framework (Dutta, Das, Li, & Auley, 2004). The
lightweight watermarking algorithm is preferred, energy requirements of most of the encryption
which costs less power and is more efficient algorithmsin are analyzed in Potlapally, Raghuna-
implementation. than, and Jha (2003), some of which are suitable
Oblivious detection. Oblivious detection for wireless applications. However, for wireless
means that the detection process needs not the multimedia, some means should be made to im-
Multimedia Encryption
0
Multimedia Encryption
Data part
Encrypt
0
Data part
N-1
crypteddatavolumes,whichkeepsthefile format
proposed to encrypt telephone-bandwidth speech.
unchanged. Additionally, the left format informa- This algorithm partitions the code stream into
tion can be used to synchronize the transmission two classes, for example, the most perceptually
process, especially in wireless/mobile environment relevant one, and the other one. Among them, the
where transmission errors often happen. The core former one is encrypted while the other one is left.
ofpartialencryptionisencrypting - only
It the signifi
is reported that encrypting about 45% of the
cant parameters in multimedia data while leaving bitstream achieves content protection equivalent
other ones unchanged. Figure 1 gives an example to full encryption. In another method (Sridharan,
for partial encryption, in which, media data are Dawson, & Goldburg, 1991), speech data are en-
partitionedintoNdataparts,onlythe first
crypted bydata part
encrypting only the parameters of Fast
is encrypted, while other parts are left unencrypted. Fourier Transformation during speech encoding,
The data part may be a block or region of the im- and the correct parameters are used to recover the
age, a frame of the video sequence, a bit-plane of encrypted data in decryption. For MP3 (Gang,
the image pixels, a parameter of the compression Akansu, Ramkumar, & Xie, 2001; Servetti, Testa,
codec, a segment of the compressed data stream, Carlos, & Martin, 2003) music, only the sensitive
and so forth. The encrypted data part (Data part parameters of MP3 stream are encrypted, such as
0) and the other data parts are then combined to- the bit allocation information, which saves much
gether to generate the encrypted media data. The time or energy cost.
significanceoftheencrypteddatapartdetermines Partial image encryption. Some means are
the security of the encryption scheme. proposed to encrypt images partially or selectively.
For multimedia data are often compressed Forrawimages,onlysomeofthemostsignificant
before stored or transmitted, partial encryption bit-planes are encrypted for secure transmission
often combines with compression codecs (Liu & of image data in mobile environments (Podesser,
Eskicioglu, 2003). That is, for different multimedia Schmidt, & Uhl, 2002). Another image encryption
encoding codec, different partial encryption algo- algorithmScopigno
( Belfiore,
& is
)024 proposed,
rithm will be designed. During the past decade, which encrypts only the edge information in the
some partial encryption algorithms have been image decomposition that produces three separate
proposed, which are classified and analyzed as (1) edge location, (2) gray-tone or color
components:
follows according to the type of multimedia data inside the edges, and (3) residuum “smooth” im-
and the codecs. age.ForJPEGimages,somesignificantbit-planes
Partial audio encryption. Based on audio or ofdiscretecosinetransform(DCT)coefficientsin
speech codecs, some partial encryption algorithms JBIG are encrypted (Pfarrhofer & Uhl, 2005), and
have been proposed. For example, an algorithm only DCT blocks are permuted and DCT coef-
based on G.729 (Servetti & Martin, 2002a, 2002b) is ficients’ signs are encrypted in JPEG encoding
Multimedia Encryption
(Lian, Sun, & Wang, 2004a). These algorithms more popular. Combined with them, some video
obtain high perceptual security and encryption encryption algorithms have been proposed, which
efficiency. In JPEG20 image encryption, only saves time cost by encrypting the compressed video
thesignificantstreamsintheencoded data data stream
selectively or partially.
are encrypted (Ando, Watanabe, & Kiya, 2001, In MPEG1/2 codec, the signs of DCT coef-
2002; Lian, Sun, & Zhang, 2004b; Norcen & Uhl, ficients are encryptedvideo with the
encryption
2003; Pommer & Uhl, 2003), which is selected algorithm (VEA) (Shi & Bhargava, 1998a), the
according to the scalability in space or frequency signsofdirectcurrentcoefficients - (DCs)andmo
domain. These algorithms often keep secure in tion vectors are encrypted with a secret key (Shi &
perception. Figure 2 gives the encryption result Bhargava, 1998b), the base layer is encrypted while
of the algorithm proposed in Lian et al., 2004b). the enhancement layer is left unencrypted (Tosun
As can be seen, the encrypted image is unintel- Feng,
& a)
1 02 the
, DCTcoefficientsarepermuted
ligible. Additionally, in these algorithms, no more (Lian, Wang, & Sun, 2004c; Tang, 1996), or the
than 20% of the data stream is encrypted, which variablelengthcoding(VLC)tablesaremodified
obtainshighefficiency. by rearranging, random bit-flipping, or random
Partial video encryption. Compared with bit-insertion (Wu & Kuo, 2000, 2001).
images or audios, videos are often of higher re- In MPEG4 codec, the Minimal Cost Encryption
dundancy, which are compressed in order to save Scheme (Kim, Shin, & Shin, 2005) is proposed
the transmission bandwidth. Among the video to encrypt only the first 8 bytes in- the macro
codecs, MPEG1/2, MPEG4, and H.264/AVC are blocks (MBs) of a video object plane (VOP). It
Figure 3. VideoencryptionbasedonAVCcodec
Multimedia Encryption
is implemented and proved suitable for wireless sion errors are often spread out due to encryption
terminals. A format-compliant configurable - en ciphertext-sensitivity (Mollin, 2006).
algorithms’
cryption framework (Wen, Severa, Zeng, Luttrell, In wireless/mobile applications, some means should
& Weiyin, 2002) is proposed for MPEG4 video be taken to reduce the error propagation.
encryption,whichcanbereconfiguredforagiven Constructing the encryption algorithms based
application scenario including wireless multimedia on error correction code may be a solution. For
communication. example, the encryption algorithm based on
In H.264/AVC codec, the intra-prediction mode forward error correction (FEC) code is proposed
of each block is permuted with the control of the key in Tosun & Feng, 2001b), which permutes the
(Ahn, Shim, Jeon, & Choi, 2004), which makes the information-bits and complements a subset of
video data degraded greatly. Some other algorithms the bits. The encryption algorithm can preserve
(Lian, Liu, & Ren, 2005a; Lian, Liu, Ren, & Wang, the error robustness of the encrypted multimedia
026a) encrypt the DCT coefficients and motion data, that is, the encrypted data stream can realize
vectors with sign encryption. For these algorithm error correction itself. Additionally, the encryption
encrypt both the texture information and motion algorithmisimplementedveryefficientlybecause
information, they often obtain high security in of the simple encryption operations. Thus, it has
human perception. Figure 3 shows the results of some desirable properties suitable for wireless
the algorithm proposed in Ahn et al. (2004) and multimedia transmission. However, the disad-
the one proposed in Lian et al. (2005a). As can be vantage is also clear that it is not secure against
seen, the video encrypted by the former algorithm known-plaintext attacks.
is still intelligible, while the video encrypted by Another solution is to change the block length
the latter algorithm is unintelligible. Thus, for in data encryption. Generally, the block length is in
high security, the latter encryption algorithm is close relation with the error propagation property.
preferred. Taking stream cipher and block cipher for examples,
the former one is of low error propagation, while
communication compliant the latter one is often of high error propagation.
Encryption Generally, the bigger the block length is, the higher
the error propagation is. Due to this case, a robust
Multimedia data are often encrypted before being encryption scheme for secure image transmission
transmitted. In the encrypted data stream, transmis- over wireless channels is proposed in Nanjunda,
Video
K
...
Frame 0 Frame 1 Frame N-1
K0 K1 KN-1
...
Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1 Slice 0 Slice 1 Slice M-1
K0 K0 K0 K1 K1 K1 KN-1 KN-1 KN-1
Multimedia Encryption
Encryption Cut
Multimedia Encryption
Figure 5, which encrypts only the base layer and trary, the watermarking algorithms with lost cost
middle layer in the three layers (base layer, middle are often of low security or robustness. This con-
layer, and enhancement layer) of an MPEG2 video tradiction becomes a problem in wireless/mobile
stream. In this algorithm, the enhancement layer environment when the limited energy or computing
is left unencrypted, which can be cut off directly. capability is provided. Experiments have been done
Wee and Apostolopoulos (2001, 2003) and Zhu, to analyze the energy consumption, complexity
Yuan, Wang, and Li (2005) proposed the algorithms and security level of multimedia watermarking
for secure scalable streaming enabling transcod- on mobile handheld devices (Kejariwal, Nicolau,
ing without decryption. Generally, the stream is Dutt, & Gupta, 2005). And some conclusions are
partitioned into segments according to the cipher’s drawn: (1) the security level often contradicts with
code length. To change the bit-rate, some segments energy consumption, (2) watermark extraction/
at the end of the stream are cut off directly. detection may be of higher cost than watermark
embedding, and (3) image resolution affects the
energy consumption. To conquer these problems,
tHE wAtErMArkIng AlgorItHMs some proposals are presented, for example, intro-
for wIrElEss MultIMEdIA duce the tunable parameter to obtain trade-offs
between security level, energy consumption, and
Watermarking algorithms (Barni & Bartolini, other performances, or move some computationally
2004; Cox et al., 2002) are generally composed expensive tasks to mobile proxies.
of two parts, that is, watermark embedding and
watermark extraction/detection. Generally, wa- Mobile Agent based task Partitioning
termarking algorithms should be robust to some
operations, such as recompression, A/D or D/A Mobile agents use the proxies as agents that can
conversion, noise, filtering, and so forth andto
connect can
a range of heterogeneous mobile ter-
survive such attacks as geometric attack, collusion minals. Using mobile agents to reduce the load of
attack, copy attack, and so forth. Similar to encryp- the server or terminals has been widely studied
tion algorithms, some watermarking algorithms (Burnside et al., 2002; Rao, Chang, Chen, & Chen,
may be of high security and robustness, but they 2001). If the mobile agent can implement water-
are also of high time or energy cost. On the con- mark embedding or extraction/detection, then the
terminals’ computing load will be greatly reduced.
Multimedia Encryption
Watermark
Watermark
Multimedia Encryption
Media data
Watermark
MDC
Encode
MDC
Decode
Extracted
watermark
Multimedia Encryption
Media
Server
Content
Access Right
Multimedia Encryption
watermarkedfilesareencryptedthen distributed
multimedia data should be decrypted before being
over p2p networks. The customer can access the watermarked. In some applications, if the operation
encrypted music files, while must applytriple for the
decryption-watermarking-encryption can be
right from the server before he can decrypt the avoided, the operation cost will be reduced greatly.
files.Thewatermarkextractedfromthe Inmusic filethe encrypted multimedia data can
this case,
can prove the legality of the music. be watermarked directly without decryption, and
the watermark can be extracted directly from the
secure Multimedia distribution encrypted or decrypted multimedia data. This kind
of watermarking-encryption pair is named com-
In secure multimedia distribution, multimedia mutative watermarking and encryption (CWE). A
data are transmitted from the server to customers practical scheme is proposed in Lian, Liu, Ren, and
in a secure way. In this case, the confidentiality Wang (2006c), which is based on partial encryption.
can be protected, and the illegal distributor who In this scheme, multimedia data are partitioned into
redistributes his/her copy to other customers can two parts, that is, the perception significant pa
be traced. Generally, both encryption and water- and the robust part, among which, the perception
marking technology are used. Till now, three kinds significantpartisencrypted,whiletherobustpa
of schemes have been proposed, which embed is watermarked. Thus, the encryption and water-
watermarks at the server side, in the router or at marking are independent of each other, and they
the client side, respectively. In thesupport first kind of
the commutative operations.
scheme, the customer information is embedded
into multimedia data at the server side before mul-
timedia encryption. This scheme is more suitable oPEn IssuEs
for unicast than for multicast or broadcast because
itisdifficultfortheservertoassign - differentcopbetween format
contradiction
ies to different customers simultaneously. In the Independence and format
second kind of scheme, the customer information compliance
is embedded by the routers in lower level (Brown,
Perkins, & Crowcroft, 1999), which distributes To keep low cost, partial encryption scheme is used
the server’s loading to the routers. This scheme to encrypt multimedia data, which keeps format
reduces the server’s loading, but also changes the compliant. Thus, for different multimedia data or
network protocols. In the third kind of scheme, the different codec, the encryption algorithms are often
customer information is embedded at the customer different. If various multimedia data are included in
side(Bloom,This . ) 30 2 schemeistimeefficient,an application, then various encryption algorithms
but the security is a problem because of the isola- should be used, and some extra information is re-
tion between decryption and watermarking. Some quired to tell which encryption algorithm has been
means (Anderson & Manifavas, 1997; Kundur & used. Compared with format compliant encryption,
Karthik, 2004; Lian, Liu, Ren, & Wang, 2006b) format independent encryption regards multimedia
have been proposed to improve the security, which data as binary data and is easy to support various
combine decryption with watermark embedding. data. Thus, for the applications with versatile data,
These combined methods improve the system’s format independent encryption is more suitable.
security at the same time of keeping low cost. For example, in such DRM systems as internet
streaming media alliance (ISMA), advanced access
commutative watermarking and content system (AACS), or open mobile alliance
Encryption (OMA) (Kundur et al., 2004), the algorithms,
advanced encryption standard (AES) and data
Generally, watermarking operation and encryp- encryption standard (DES), are recommended to
tion operation are separate. That is, the encrypted encrypt multimedia data not considering the fil
Multimedia Encryption
format. Thus, for practical applications, the trade- key Management in Mobile
off between computational cost and convenience Applications
is to be made, which determines which kind of
algorithm should be used. Multimedia encryption and watermarking can
both be controlled by the keys; key management
standardization of watermarking needs to be investigated. For example, whether
Algorithms the encryption key should be independent of the
watermarking key, and how to assign different
Compared with encryption algorithms that have decryption keys to different customers in mul-
been standardized to some extent, watermarking timedia distribution? Additionally, for multic
algorithms are still in study. For the diversity of or p2p networks, key generation and distribution
multimedia content, the difficulty in(Cherukuri, multimedia 2004; Eskicioglu, 2002) are important
understanding and the variety of applications, it topicsnotonlyinfixednetworksbutalsoinmobile
isdifficulttostandardizemultimedia - watermark
environments.
ing algorithms. Generally, they have different
performances in security, efficiency, robustness,
capacity, and so forth. Using which watermarking conclusIon
algorithm depends on the performances required
bytheapplications.Definingsuitable - watermark
In this chapter, mobile/wireless multimedia encryp-
ing algorithms will provide more convenience to tion and watermarking algorithms are introduced
wireless/mobile applications. and analyzed, including the general requirements,
various multimedia encryption algorithms, some
fingerprint Algorithms Against watermarking algorithms, the combination be-
collusion Attacks tween encryption and watermarking, and some
open issues. Among them, the multimedia encryp-
In secure multimedia distribution, collusion attack tionalgorithmsareclassifiedand-analyzedaccord
(Zhao, Wang, & Liu, 2005) threatens the system. ing to the functionalities, and the watermarking
That is, different customers combine their copies algorithms with low cost are emphasized. The
together through averaging, substitution, and so combination between encryption and watermark-
forth, which produces a copy without any customer ing brings up some new research topics, for ex-
information.Tocounterthisattack, - ample,
somefingerfingerprintorcommutativewatermarking
print encoding methods (Boneh & James, 1998; Wu, and encryption. And some open issues are also
Trappe, Wang, & Liu, 2004) have been proposed. presented, including the contradiction between
Thesemethodsgeneratedifferentfingerprint codesand format independence, the
format compliance
for different customers, and the colluded copy can standardization of watermarking algorithms, the
still tell one or more of the colluders. However, fingerprintalgorithmsresistingcollusionatt
there is still a trade-off between the watermark and the key management in mobile applications.
capacity and the supported customers, and some
new attacks are still not predicted, such as the linear
combination collusion attack (LCCA) attack (Wu, rEfErEncEs
Thus,
. )05 2 betterfingerprintencodingmethods
withgoodefficiencyareexpected. Ahn, J., Shim, H., Jeon, B., & Choi, I. (2004). Digital
video scrambling method using intra prediction
mode. In PacificRimConferenceonMultimedia,
PCM2004 (LNCS 3333, 386-393). Springer.
0
Multimedia Encryption
Alattar, A., Lin, E., & Celik, M. (2003). Digital wa- Brown, I., Perkins, C., & Crowcroft, J. (1999). Wa-
termarkingoflowbit-rateadvancedsimple profile
tercasting: Distributed watermarking for multicast
MPEG-4 compressed video. IEEE Transactions media. In Proceedings of the First International
on Circuits and Systems for Video Technology, Workshop on Networked Group Communication
13, 787-800. (LNCS 1736, pp. 286-300). Springer-Verlag.
Ambroze, A., Wade, G., Serdean, C., Tomlinson, Burnside, M., Clarke, D., Mills, T., Maywah, A.,
M., Stander, J., & Borda, M. (2001). Turbo code Devadas, S., & Rivest, R. (2002). Proxy-based
protection of video watermark channel. IEE Pro- security protocols in networked mobile devices.
ceedingsofVisionandImageSignalProcessing, In Proceedings of the 2002 ACM symposium on
148, 54-58. Applied Computing (pp. 265-272).
Anderson, R., & Manifavas, C. (1997). Cham- Chang, Y., Han, R., Li, C., & Smith, J. R. (2004).
leon—A new kind of stream cipher. In Fast Soft- Secure transcoding of Internet content. In Pro-
ware Encryption (LNCS, vol. 1267, pp. 107-113). ceedings of International Workshop on Intelligent
Springer-Verlag. Multimedia Computing and Networking (IMMCN)
(pp. 940-943).
Ando, K., Watanabe, O., & Kiya, H. (2001). Partial-
scrambling of still images based on JPEG2000. Checcacci, N., Barni, M., Bartolini, F., & Basagni,
In Proceedings of the International Conference S. (2000). Robust video watermarking for wireless
on Information, Communications, and Signal multimedia communications. In Proceedings of the
Processing, Singapore. 2000 IEEE Conference on Wireless Communica-
tions and Networking (pp. 1530-1535).
Ando, K., Watanabe, O., & Kiya, H. (2002). Par-
tial-scrambling of images encoded by JPEG2000. Cherukuri, S. (2004). An adaptive scheme to man-
IEICETransactions,J85-D-1 (2), 282-290. age mobility for secure multicasting in wireless
local area networks. Unpublished masters thesis,
Arora, S., & Emmanuel, S. (2003). Real-time
Arizona State University, Tempe.
adaptive speech watermarking scheme for mobile
applications. In Proceedings of the International Chu, S., Hsin, Y., Huang, H., Huang, K., & Pan, J.
Conference on Information, Communications & (2005). Multiple description watermarking for lossy
SignalprocessingICICS) ( —IEEEPacific-rimCon
- network. IEEE Computer Society,4, 3990-3993.
ference on Multimedia (PCM) (pp. 850-853).
Cox, I., Miller, M., & Bloom, J. (2002). Digital wa-
Ashourian, M., & Ho, Y. (2003). Multiple descrip- termarking. San Francisco: Morgan Kaufmann.
tion coding for image data hiding jointly in the
Desset, C., Macq, B., & Vandendorpe, L. (2002).
spatial and DCT domains. In ICICS 2003 (LNCS
Block error-correcting codes for systems with a
2836, 179-190).
very high BER: Theoretical analysis and application
Barni, M., & Bartolini, F. (2004). Watermark to the protection of watermarks. Signal Processing:
systems engineering. Marcel Dekker. Image Communication, 17, 409-421.
Bloom, J. (2003). Security and rights management Dutta, A., Das, S., Li, P., & Auley, A. (2004).
in digital cinema. Proceedings of IEEE Interna- Secured mobile multimedia communication for
tional Conference on Acoustic, Speech and Signal wireless Internet. In Proceedings of 2004 IEEE
Processing, 4, 712-715. International Conference on Networking, Sensing
& Control (pp. 181-186).
Boneh, D., & James, S. (1998). Collusion-secure
fingerprintingfordigital data.
IEEE Transactions Eskicioglu, A. (2002). Multimedia security in group
on Information Theory, 44(5), 1897-1905. communications: Recent progress in wired and
wireless networks. In Proceedings of the IASTED
Multimedia Encryption
Multimedia Encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006c). Mollin, R. (2006). An introduction to cryptogra-
Commutative watermarking and encryption for phy. CRC Press.
media data. International Journal of Optical En-
Nanjunda, C., Haleem, M., & Chandramouli, R.
gineering,(8),5 4 0805101-0805103.
(2005). Robust encryption for secure image trans-
Lian, S., Liu, Z., Ren, Z., & Wang, Z. (2005b). Se- mission over wireless channels. In Proceedings of
lective video encryption based on advanced video the IEEE International Conference on Communi-
coding. In ProceedingsofPacific-RimConference cations (ICC) (pp. 1287-1291).
onMultimedia(PCM2) 50 (pp. 281-290).
Norcen, R., & Uhl, A. (2003). Selective encryption
Lian, S., Liu, Z., Ren, Z., & Wang, H. (2006a). of the JPEG2000 bitstream. In IFIP International
Secure advanced video coding based on selective Federation for Information Processing (LNCS
encryption algorithms. IEEE Transactions on 2828, 194-204).
ConsumerElectronics, 25
(2), 621-629.
Ong,C.Nahrstedt,
, Yuan,
K.& , Quality
.) W.302 (
Lian, S., Sun, J., & Wang, Z. (2004a). A novel image of protection for mobile multimedia applications.
encryption scheme based-on JPEG encoding. In In Proceedings of the IEEE International Con-
Proceedings of International Conference on Infor- ference on Multimedia and Expo (ICME2003),
mationVisualization(pp. (IV)042 217-220). Baltimore, MD.
Lian, S., Sun, J., Zhang, D., & Wang, Z. (2004b). Pal, S., Saxena, P., & Muttoo, S. (2004). Image
A selective image encryption scheme based on steganography for wireless networks using the
JPEG2000 codec. In ProceedingsofPacific-0 42 hadamard transform. In Proceedings of the 2004
Rim Conference on Multimedia (PCM2004) (LNCS International Conference on Signal Processing
3332, pp. 65-72). Springer. and Communications (pp. 131-135).
Lian, S., Wang, Z., & Sun, J. (2004c). A fast video Pan, J., Hsin, Y., Huang, H., & Huang, K. (2004).
encryption scheme suitable for network applica- Robust image watermarking based on multiple
tions. In Proceedings of International Conference description vector quantization. Electronics Let-
on Communications, Circuits and Systems, 1, ters, 40(22), 1409-1410.
566-570.
Petitcolas, F., Anderson, R., & Kuhn, M. (1999).
Linnartz, J., & Dijk, M. (1998, April 15-17). Analy- Information hiding—A survey. Proceedings of
sis of the sensitivity attack against electronic water- IEEE,87(7), 1062-1078.
marks in images. Paper presented at the Workshop
Petrescu, M., Mitrea, M., & Preteux, F. (2005). Low
on Information Hiding, Portland, OR.
rate video protection: The opportunity of spread
Liu,Q.Jiang,
&, X.Applications
. )05 2 ( ofmobile spectrum watermarking. WSEAS Transactions on
agent and digital watermarking technologies in Communications, 7(4), 478-485.
mobile communication network. In Proceedings
Pfarrhofer, R., & Uhl, A. (2005). Selective image
oftheInternational
502 ConferenceonWireless
encryption using JBIG. In Proceedings of the
Communications, Networking and Mobile Comput-
IFIP TC- 6 TC-1 international conference on
ing (pp. 1168-1170).
communications and multimedia security (CMS
Liu, X., & Eskicioglu, A. (2003). Selective encryp- ) 502 (pp. 98-107).
tion of multimedia content in distribution networks:
Podesser, M., Schmidt, H., & Uhl, A. (2002). Selec-
Challenges and new directions. In Proceedings of
tive bitplane encryption for secure transmission of
the IASTED International Conference on Com-
image data in mobile environments. In CD-ROM
munications, Internet and Information Technology
Proceedings of theth 5 IEEE Nordic Signal- Pro
(CIIT 2003). Scottsdale, AZ: ACTA Press.
cessing Symposium (NORSIG 2002).
Multimedia Encryption
Multimedia Encryption
Chapter XVII
System-on-Chip Design of
the Whirlpool Hash Function
Paris Kitsos
Hellenic Open University (HOU), Patras, Greece
AbstrAct
In this chapter, a system-on-chip design of the newest powerful standard in the hash families, named
Whirlpool, is presented. With more details an architecture and twoverylarge-scaleintegration(VLSI)
implementations are presented. The first implementation is suitable for high speed a
the second one is suitable for applications with constrained silicon area resources. The architecture
permits a wide variety of implementation tradeoffs. Different implementations have been introduced and
eachspecificapplicationcanchoosetheappropriatespeed-area,trade-offimplementat
mentations are examined and compared in the security level and in the performance by using hardware
terms. Whirlpool with RIPEMD, SHA-1, and SHA-2 hash functions are adopted by the International
Organization for Standardization (ISO/IEC, 2003) 10118-3 standard. The Whirlpool implementations
allow fast execution and effective substitution of any previous hash families’ implementations in any
cryptography application.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
System-on-Chip Design of the Whirlpool Hash Function
respectively). In August 2002, NIST announced the hardware architectures have been also presented.
updated Federal Information Processing Standard The first one (McLoone & McCanny,) 02is a
(FIPS 180-2), which has introduced another three high speed hardware architecture and the second
new hash functions referred to as SHA-2 (256, 384, one (Pramstaller, Rechberger, & Rijmen, 2006) is
512). In addition, the new European schemes for a compact field-programmablegate array
(FPGA)
signatures, integrity, and encryption (NESSIE) architecture and implementation of Whirlpool.
(2004), was responsible to introduce a hash func- Botharchitecturesareefficient - forspecificappl
tion with high security level. In February 2003, cations; analytical comparisons with the proposed
it was announced that the hash function included implementations will be given in the rest of this
in the NESSIE portfolio is Whirlpool (Barreto chapter. In addition, comparisons with other hash
& Rijmen, 2003). Finally, the most known hash families’ implementations (Ahmad & Shoba Das,
function is the secure hash algorithm-1 (SHA-1) 2005; Deepakumara, Heys, & Venkatesam, 2001;
( NIST, 951=http:/itl.nist.gov/fipspub/fip180 - Dominikus, 2002; Grembowski et al., 2002;
1.htm). However, some security problems have McLoone, McIvor, & Savage, 2005; Sklavos &
been raised as it has already (see Wang, Yin, & Koufopavlou, 2003, 2005; Yiakoumis, Papadoniko-
Yu, 2005) shown. This collision of SHA-1 can be lakis, Michail, Kakarountas, & Goutis, 2005); are
found with complexity less than 296 hash operations. provided. From the comparison results it is proven
Thisisthefirstattackonthefull08-step SHA-
that the 1
proposed implementation performs better
with complexity less than the 280 theoretical bound. and composes an effective substitution of any pre-
A collision in SHA-1 would cast doubt over the vious hash families’ such as MD5, RIPEMD-160,
future viability of any system that relies on SHA-1. SHA-1, SHA-2, and so forth, in all the cases.
Theresultwillcauseasignificantconfusion and
The organization of the chapter is the follow-
it will create reengineering of many systems, and ing: In the second section, fundamental for hash
incompatibility between new systems and old. In functions families, is presented. So, the (ISO/IEC)
addition, the National Security Agency (NSA) did standard
3 8- 1 0 1 firstisbrieflydescribedand - sec
not disclose the SHA-2 design criteria and also its ondlytheWhirlpoolhashfunctionspecifications
design philosophy is similar to the design of SHA-1 are defined. In the third section, the proposed
function. So, the attack against SHA-1 probably architecture and VLSI implementations are pre-
will have affected to the SHA-2 function. Also, sented. Implementation results and discussion
this issue stands for RIPEMD hash families. On (comparison with other works) are reported in the
the other hand, the internal structure of Whirlpool fourthsection.Finally,thefifthsectionconclude
is different from the structure of all the aforemen- this chapter.
tioned hash functions. So, Whirlpool function does
not suffer for that kind of problems and makes it a
very good choice for electronics applications. fundAMEntAls for HAsH
All the afore-mentioned hash functions are functIons
adopted by the International Organization for
Standardization (ISO, 2003) 10118-3 standard. In this section a brief description of the ISO/IEC
In this chapter, an architecture and two VLSI 10118-3 standard is presented. This standard speci-
implementations of the new hash function, Whirl- fiesdedicatedhashfunctions.Thehashfunctions
pool,areproposed.Thefirstimplementation - are basedissuit
on the iterative use of a round-function.
able for high speed applications while the second Sevendistinctroundfunctionsarespecified,givin
one is suitable for applications with constrained rise to distinct dedicated hash-functions. Six of
silicon area resources. themarebrieflydescribedandatlast,Whirlpool
The architecture and the implementations is described in details.
presentedherewerethefirstinscientificliterature
(Kitsos & Koufopavlou, 2004). Until then, two
System-on-Chip Design of the Whirlpool Hash Function
X0 X1 X2 X3 X4
(befor e r o u n d i )
fi
5 +
S
Zi
S30 +
Ci
W
(after r o u n d i )
X0 X1 X2 X3 X4
Figure2.TheSHA-256andSHA-512roundfunction
X0 X1 X2 X3 X4 X5 X6 X7
e 2 or d 2 e 1 or d 1 e 3 or d 3 +
Zi
e 0 or d 0 +
Ci
+
W1
W2
+
X0 X1 X2 X3 X4 X5 X6 X7
System-on-Chip Design of the Whirlpool Hash Function
Figure3.TheRIPEMD-160roundfunction
X0 X1 X2 X3 X4
(befor e r o u n d i)
gi
Sti S10
+
W
(after r o u n d i )
X0 X1 X2 X3 X4
System-on-Chip Design of the Whirlpool Hash Function
X0 X1 X2 X3
(befor e r o u n d i)
gi
Zai
+
Ci
S ti
W
X0 X1 X2 X 3 (after r o u n d i)
of a compression function, based on an underlying The key addition N[k], consists of the bitwise
dedicated 512-bit block cipher that uses a 512-bit addition (XOR) of a key matrix k such as:
key. The Whirlpool is a Merkle hash function
(Menezes, Van Oorschot, & Vastone, 1997) based
[k ](a ) = b ⇔ bij = a ij ⊕ k ij , 0 ≤ i, j ≤ 7
on a 512-bit block cipher, W, using a chained 512-
bit key state, both derived from the input data. (2)
The round function, of the W, is operating in the
Miyaguchi-Preneel mode (Menezes et al.) as shown This mapping is also used to introduce round
in Figure 5. constants in the key schedule. The input data
As Figure 5 shows, a 512-bit data block, mi, (hash state) is internally viewed as a 8x8 matrix
with a 512-bit key, hi-1, is used for the operation over GF(28). Therefore, 512-bit data string must
of W block cipher. The output of the block cipher be mapped to and from this matrix format. This
with the original input data block and also with can be done by function : such as:
the input key are all together XORed in order to
produce the hash value, hi. This hash value is used (a) = b ⇔ bij = a 8i + j , 0 ≤ i, j ≤ 7 (3)
as a key in the next input data block.
In the rest of this chapter, the round function of The first transformation of the hash state i
theblockcipher,W,isdefined.Theblockdiagram through the non-linear layer 3 , which consists of the
of the W block cipher basic round is depicted in parallel application of a non-linear substitution S-
Figure 6. The round function, ! [k], is based on Box to all bytes of the argument individually. After,
combined operations from three algebraic func- the hash state is passed through the permutation
tions. These functions are the non-linear layer 3 , that cyclical shifts each column of its argument
the cyclical permutation , and the linear diffusion independently, so that column j is shifted down-
layer 6 . So, the round function is the composite wards by j positions. The final transformation is
mapping ! [k], parameterized by the key matrix k, the linear diffusion layer 6 , which the hash state is
and given by the following equation. multiplied with a generator matrix. The effect of 6
is the mix of the bytes in each state row.
[k ] ≡ [k ] (1) So, the dedicated 512-bit block cipher W[K],
parameterized by the 512-bit cipher key K, is
definedas:
Symbol “ ” denotes the sequential opera-
tion of each algebraic function where the right
functionisexecutedfirst.
W [K ] = (O 1
r=R
)
[Κ r ] [Κ 0 ]
(4)
0
System-on-Chip Design of the Whirlpool Hash Function
h i-1
512
W block cipher So, the Whirlpool iterates the Miyaguachi-
Preneel hashing scheme over the t padded blocks
512 mi, 1 ≤ i ≤ t , using the dedicated 512-bit block
cipher W:
XOR
512 ni = (mi ),
hi H 0 = ( IV ),
H i = W [ H i −1 ](ni ) ⊕ H i −1 ⊕ ni , 1 ≤ i ≤ t
where, the round keys K0,…, K R are derived from (7)
K by the key schedule. The default number of
rounds is R=1.0 The key schedule expands the where, IV (the Initialization Vector) is a string of
512-bit cipher key K onto a sequence of round 512 0-bits.
keys K0,…, K R as: As Equations 4 and 5 show the internal block
cipher W, comprises of a data randomizing part
and a key schedule part. These parts consist of the
K0 = K same round function.
r −1
K = [c ]( K ), r > 0
r r
(5) Before being subjected to the hashing operation,
a message M of bit length L<2652 is padded with a
The round constant for the r-th round, r>0, is a 1-bit, then as few 0-bits as necessary to obtain a
matrix c definedbysubstitutionboxS-( Box)bit
r
as:string whose length is an odd multiple of 256,
Figure6.BlockdiagramoftheWbasicroundwithalgebraicfunctionstransformations
Input
I n p u t S tate O u tp u t S tate
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s ’0, 0 s ’0, 1 s ’0, 6 s ’0, 7
s 1, 0 s 1, 7 s ’1, 0 s ’1, 7
non-linear layer
s 6, 0 s 6, 7 s ’6, 0 s ’6, 7
I n p u t S tate O u tp u t S tate s 7, 0 s 7, 1 s 7, 6 s 7, 7 s ’7, 0 s ’7, 1 s ’7, 6 s ’7, 7
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s 0, 0 s 7, 1 s 2, 6 s 1, 7
s 1, 0 s 1, 7 s 1, 0 s 2, 7
permutation
s 6, 0 s 6, 7 s 6, 0 s 7, 7
s 7, 0 s 7, 1 s 7, 6 s 7, 7 s 7, 0 s 6 , 1 s 1, 6 s 0, 7
I n p u t S tate O u tp u t S tate
512
s 0, 0 s 0, 1 s 0, 6 s 0, 7 s ’0, 0 s ’0, 1 s ’0, 6 s ’0, 7
s 1, 0 s 1, 7 s ’1, 0 s ’1, 7
diffusion layer
s 6, 0 s 6, 7 s ’6, 0 s ’6, 7
I n p u t S tate O u tp u t S tate
512 s 7, 0 s 7, 1 s 7, 6 s 7, 7 s ’7, 0 s ’7, 1 s ’7, 6 s ’7, 7
O u tp u t
k 7, 0 k 7, 1 k 7, 2 k 7, 3 k 7, 4 k 7, 5 k 7, 6 k 7, 7
System-on-Chip Design of the Whirlpool Hash Function
Figure 7. Whirlpool hash function architecture function is shown in Figure 7. The Pad Component
pads the input data and converts them to n-bit
M essage n padded message. In the proposed architecture an
256 interface with 256-bit input for Message is con-
sidered. The input n, specifies the total length of
P ad C om pone nt
the message. The padded message is partitioned
mi
512 H t-1 into a sequence of t 512-bit blocks m1, m2, … , mt.
This sequence is then used in order to generate a
new sequence of 512-bit string, H1, H2, … , Ht in
W
the following way. mi is processed with Hi-1 as key,
and the resulting string is XORed with mi in order
to produce the Hi. H0 is a string of 512 0-bits and
W o ut
Ht is the hash value.
XOR
The block cipher W, is mainly consists of the
512
round function !. The implementation of the round
Ht function ! is illustrated in Figure 8.
The non-linear layer 3 , is composed of 64 sub-
stitution tables (S-Boxes). The internal structure of
theS-BoxisshowninFigureIt .8 consistsoffive
andfinallywiththe65-2bitright-justified 4-bitbinary -1
mini boxes E, E , and R. These mini boxes
representation of L, resulting in the padded message can be implemented either by using look-ip-tables
m, partitioned in t blocks m1, m2, ... , mt. (LUTs) or Boolean expressions. Next, the cyclical
permutation , is implemented by using combina-
tional shifters. These shifters are cyclically shift (in
wHIrlPool ArcHItEcturEs And downwards)eachmatrixcolumnbyafixednumber
vlsI IMPlEMEntAtIons (equal to j), in one clock cycle. The linear diffusion
layer 6 , is a matrix multiplication between the hash
In this paragraph the proposed architecture and state and a generator matrix. In Barreto and Rijmen
implementations are explained in detail of the an
) 302 ( efficientmethodisprovidedinorderto
hash function Whirlpool. A general diagram of implement the matrix multiplication. However, in
the architecture that performs the Whirlpool hash this chapter an alternative way is proposed which
Equation 8.
bi 0 = ai 0 ⊕ ai1 ⊕ ai 3 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 2 ] ⊕ X 2 [ai 3 ⊕ ai 6 ] ⊕ X 3[ai1 ⊕ ai 4 ]
bi1 = ai 0 ⊕ ai1 ⊕ ai 2 ⊕ ai 4 ⊕ ai 6 ⊕ X [ai 3 ] ⊕ X 2 [ai 4 ⊕ ai 7 ] ⊕ X 3[ai 2 ⊕ ai 5 ]
bi 2 = ai1 ⊕ ai 2 ⊕ ai3 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 4 ] ⊕ X 2 [ai5 ⊕ ai 0 ] ⊕ X 3[ai3 ⊕ ai 6 ]
bi 3 = ai 0 ⊕ ai 2 ⊕ ai 3 ⊕ ai 4 ⊕ ai 6 ⊕ X [ai5 ] ⊕ X 2 [ai 6 ⊕ ai1 ] ⊕ X 3[ai 4 ⊕ ai 7 ]
bi 4 = ai1 ⊕ ai3 ⊕ ai 4 ⊕ ai 5 ⊕ ai 7 ⊕ X [ai 6 ] ⊕ X 2 [ai 7 ⊕ ai 2 ] ⊕ X 3[ai 5 ⊕ ai 0 ]
bi 5 = ai 0 ⊕ ai 2 ⊕ ai 4 ⊕ ai 5 ⊕ ai 6 ⊕ X [ai 7 ] ⊕ X 2 [ai 0 ⊕ ai 3 ] ⊕ X 3[ai 6 ⊕ ai1 ]
bi 6 = ai1 ⊕ ai 3 ⊕ ai 5 ⊕ ai 6 ⊕ ai 7 ⊕ X [ai 0 ] ⊕ X 2 [ai1 ⊕ ai 4 ] ⊕ X 3[ai 7 ⊕ ai 2 ]
bi 7 = ai 0 ⊕ ai 2 ⊕ ai 4 ⊕ ai 6 ⊕ ai 7 ⊕ X [ai1 ] ⊕ X 2 [ai 2 ⊕ ai 5 ] ⊕ X 3[ai 0 ⊕ ai 3 ]
System-on-Chip Design of the Whirlpool Hash Function
Figure8.Implementationoftheroundfunction!
E E -1
In p u t
512
R
S S S
64
512
E E -1
X3 X2 X
R ou n d 512
K ey
xo r [k ] b i0
512
512
O u tp u t
is suitable for hardware implementation. The bitwise XORed with the cr constant. A round key
transformation expressions of the diffusion layer is produced, on the y,fl in one clock cycle. Each
are given next. (See Equation 8.) produced round key is used in the next clock cycle
Bytes bi0, bi1, bi2,… , bi7 represent the eight (through the multiplexer) for the production of the
bytes of the i row of the output of the layer 6 hash next round key. In the data randomizing data path,
state. Table X implements the multiplication by the hash state of the 6 layer is bitwise XORed with
the polynomial g(x)= x modulo (x8x+ 4x+ 3x+ 2+1 ) the appropriate round key. After, the intermediate
in GF(28). Table X2 is defined as X2 ≡X X feedback data are used as input to the next round
and X3 as X 3 ≡ X X X . In Figure 8, the (through the multiplexer). After 10 execution rounds
implementation of the output byte bi0 is depicted the Output Register latches the temp value. This
in details. The other bytes are implemented in a is bitwise XORed with the Hi-1 value in order to
similar way. The key addition (N[k]) consists of compute the Wout.
eight 2-input XOR gates for any byte of the hash In a clock cycle, one execution round is executed
state. Every bit of the round key is XORed with and, simultaneously, the appropriate round key
the appropriate bit of the hash state. is calculated. The system needs 10 clock cycles
Thefirstimplementationisdepicted in
per Figure
block. If .another
9 block mi+1 is required to be
This implementation has two similar parallel data transformed, the previous process is repeated (by
paths, the data randomizing and the key schedule. using as cipher key the Hi value). So, for t blocks
The implementation details of the non-linear layer the execution time is 10*t clock cycles.
3 , the cyclical permutation , and the linear dif- The second implementation of the W block
fusion layer 6 are shown in Figure 8. The input cipher architecture is shown in Figure 10. This
block mi is set to the Input data simultaneously implementation is suitable for applications with
with the initial vector (IV ) to the Key. In the key constrained silicon area resources. The appropri-
schedule data path, the output data of the 6 layer is ate key schedule part is integrated with the data
System-on-Chip Design of the Whirlpool Hash Function
Figure9.TheimplementationoftheWblockciphersuitableforhighspeedapplicati
In p u t d ata K ey
512 512
512 512
M ux M ux
In p u t In p u t
R eg ister R eg ister
[k ] XOR [k ] XOR
ROM
(c r )
512 512
512
512
feed b ack d ata
feed b ack d ata
r
O u tp u t 1 < = r< = 1 0
R eg ister
te m p
XOR H i-1
512
512
W o ut
randomizing part in order to reduce the required key, which is stored in the RAM. After 10 execution
hardware resources. The execution of the W block rounds the Output Register latches the temp result.
cipher on this implementation is performed in two This result is bitwise XORed with the Hi-1 value (in
phases.Inthefirstphase,theround - keys are
this casepro
is equal to the IV) in order to compute the
duced and stored in the RAM. In the second phase, Wout. The Wout is XORed with the misee ( figure,7)
thehashvalueiscomputed.Thealgorithm sospecifies
thefinal,hashvalue Hi, is computed.
10 rounds for the hash state. The Input data is the If another block mi+1 is required to be trans-
initialization vector (IV ), in order to produce the formed, the previous process is repeated (by using
roundkeysfirst ( phase) The
.
Input Register is used as cipher key the Hi value). So, for t blocks the
for buffering the algorithm Input data. The output execution time is 20*t clock cycles. This has a
data of the 6 layer is bitwise XORed with the cr result the total throughput of this implementation
constant. Each execution round lasts one clock is half than the first implementation; however i
cycle.Afterthefirstexecutionround,the first
needs round
almost half silicon area.
key is stored in the RAM. It is used as input in the
second execution round, through the multiplexer
(feedback data), for the production of the second IMPlEMEntAtIon rEsults And
round key. This process is repeated 10 times (10 dIscussIon
execution rounds) and lasts 10 clock cycles. The
crconstantsarepredefinedandROM. stored inVIRTEX
The the FPGA device used in order to evalu-
Themultiplexerselectsduringthe cr first phase the of the proposed implementa-
ate the performance
constants, and during the second phase the round tions. Especially the XC4VLX100 device is used;
keys. The computation of the hash value is taking this device belongs to a new family manufactured
place during the second phase. In this phase, the in 1.2 volts, 90nm triple-oxide technology and
Input data is the mi block. The output data of the 6 offers twice the performance, twice the density,
layer is bitwise XORed with the appropriate round and less than one-half the power consumption of
System-on-Chip Design of the Whirlpool Hash Function
Figure 10. The implementation of the W block clock management, and digital signal process-
cipher suitable for applications with con- ing. In Figure 11 the DSP48 slice architecture is
strained silicon area resources depicted. The Virtex-4 DSP slices are organized
as vertical DSP columns. Within the DSP column,
In p u t d ata
two vertical DSP slices are combined with extra
512
512 logic and routing to form a DSP tile. The DSP tile
M ux is four CLBs tall. Each DSP48 slice has a two-input
multiplier followed by multiplexers and a three-
In p u t
R eg ister
input adder/subtractor. The multiplier accepts two
18-bit, two’s complement operands producing a
36-bit, two’s complement result. The result is a
sign extended to 48 bits that can optionally be fed
to the adder/subtractor. The adder/subtractor ac-
cepts three 48-bit, two’s complement operands, and
ROM
M 512
(c r ) produces a 48-bit two’s complement result. Higher
[k ] XOR u level DSP functions are supported by cascading
512 x
512 512 individual DSP48 slices in a DSP48 column. One
RAM
feed b ack d ata input (cascade B input bus) and the DSP48 slice
512
r
output (cascade P output bus) provide the cascade
O u tp u t
R eg ister
capability.
te m p The XC4VLX100 device used in this chapter
XOR H i-1 contains 96 DSP48 slices.
512
512 Each one of the proposed implementations was
W o ut
captured by using VHSIC hardware description
language (VHDL), with structural description
logic. Both implementations were simulated to
previous-generation devices. The basic building operating correctly by using the test vectors which
block of these devices is the DSP48 slice (see are provided by the NESSIE submission package
Xilinx, 2006). The purpose of this module is to (NESSIE, 2004), and the ISO/IEC 10118-3 standard
deliver off-the-shelf programmable devices with (ISO, 2003). Parts of the proposed implementations
the best mix of logic, memory, I/O, processors, were designed by using two alternative techniques.
18
36 48
18 36
x
48
18
A c In
72
x
18 36
b 48
48 y +/- P
z Er o 48
s ubtrAct
48
c 48
z
48 18
48
48
b c In w ire s hift r ight b y 1 7 -bit
Pc In
c a s c a de In from P re v ious s lic e
System-on-Chip Design of the Whirlpool Hash Function
The 4-bit mini boxes (E, E-1, and R) were designed the LB implementation throughput is 17.2 Gbps at
by using LUTs and Boolean expressions. The usage 337 MHz. The 2nd implementation was designed
of FPGA-LUTs does not increase the algorithm in order to support applications with area restrict
execution latency. Besides, the LUTs are imple- requirements. It demands 20 clock cycles for each
mented by using function generators. So, for the data block and requires less hardware resources.
implementation of the Whirlpool hash function The BB implementation throughput is 7 Gbps at 275
four alternative solutions are proposed. MHz clock frequency and the LB implementation
Two performance metrics are considered: throughput is 8 Gb/s at 313 MHz.
the area utilized and the throughput achieved by In McLoone et al. (2005) two Whirlpool hash
the implementations. The measurements of the hardware implementations are presented. In the
performance analysis are shown in Table 1. And first one, two rounds of the block cipher
W are
also, comparisons with other Whirlpool hash unrolled and during one clock cycle two rounds
hardware implementations (McLoone et al., 2005; are performed. This method reduces the overall
Pramstaller et al., 2006) are given. We symbolized latency of the design, but it will also result in a
as Boolean expressions based (BB) the mini boxes reduction in frequency. In order to compute the
implementations by using Boolean expressions, and final hash output needs to be iterated five time
as LUT based (LB) the mini boxes implementations This implementation achieves a throughput equal to
by using FPGA-LUTs. 4896 Mbps at 47.8 MHz. The second one is iterative
Both implementations (1st and 2nd) were implementations with algorithmic latency equal to
realized by the same FPGA device. The algo- 10 clock cycles. The major difference with previous
rithm constants (cr) are stored in a ROM which is and also with author implementations is that use
implemented by using LUT. The 2nd implementa- BRAM in order to implement the S-boxes. The
tion uses a 10x512-bit RAM in order to store the throughput of this implementation is 4790 Mbps
necessary round keys. This RAM is mapped to at 144 MHz. An 68 BRAM is also used.
the 5K bits distributed RAM, and furthermore, In Pramstaller et al. (2006) a very compact
none of the proposed implementations use block Whirlpool hash hardware implementation is dis-
RAM (BRAM). cussed. This design has different philosophy than
The 1st implementation requires 10 clock cycles the implementations in this chapter and uses an
for each block. So, the BB implementation through- innovative state representation that makes it pos-
put is 12 Gbps at 236 MHz clock frequency, and sible to reduce the required hardware resources
System-on-Chip Design of the Whirlpool Hash Function
remarkably. The complete implementation into tions in McLoone et al., to the FPGA character-
XC2VP40 VIRTEX FPGA requires 1456 CLB- istics (due to the high throughput per slice ratio).
slices and no BRAMs. It achieves a throughput The design in Pramstaller et al. (2006) achieves a
equal to 382 Mbps at a clock frequency equal to throughput equal to 382 Mbps at 131 MHz slower
131 MHz. by a factor range from 18 to 45 compared with the
As Table 1 shows that the author’s proposed implementations in this chapter. Although, as I
hardware implementations of the Whirlpool have already mentioned, this design has different
hash function clearly outperforms all the others philosophy and requires only a small amount of
implementations. The proposed implementations hardware resources.
are faster by a factor range from 1.5 to 45 times. Besides, comparisons with some other hash
Especially comparing with implementations in families’ implementations (Ahmad & Shoba Das,
McLoone et al. (2005) some important results can 2005; Deepakumara et al., 2001; Dominikus, 2002;
be extracted. Firstly, the two implementations in Grembowski et al. 2002; McLoone & McCanny,
McLoone et al., use the same FPGA device with 2002; Sklavos & Koufopavlou, 2003, 2005; Yiak-
the proposed implementations reported in this oumis et al., 2005) (the faster implementations of
chapter. So, any comparisons are absolutely fair other hash families’ are collected) are given in Table
and accurate. Secondly, by using FPGA-LUTs 2 in order to have a fair and detailed comparison
much better results are achieved in both time with the proposed implementations.
performance and area requirements. Finally, about From Table 2, it is obvious that the Whirlpool
the ratio throughput per slice, that measures the implementation performs much better in terms of
hardware resource cost associated with the imple- throughput, comparing to all the previous hash fam-
mentation resulting throughput and it is proven ilies published implementations (Ahmad & Shoba
that the proposed implementations in this chapter Das, 2005; Deepakumara et al., 2001; Dominikus,
philosophy matches better than the implementa- 2002; Grembowski et al., 2002; McLoone & Mc-
System-on-Chip Design of the Whirlpool Hash Function
System-on-Chip Design of the Whirlpool Hash Function
Kitsos, P., & Koufopavlou, O. .)024( Efficient 384, 512) hash functions. In IEEE International
architecture and hardware implementation of the Symposium on Circuits and Systems (ISCAS 2003)
whirlpool hash function. IEEE Transactions on (Vol. V, pp. 153-156).
ConsumerElectronics, (1), 208-213. 05
Sklavos, N., & Koufopavlou, O. (2005). On the
McLoone,M.McCanny,
&, J.V.Efficient
. ) 02 ( hardware implementation of RIPEMD processor:
single-chip implementation of SHA-384 & SHA- Networking high speed hashing, up to 2 Gbps. Com-
512. In IEEE International Conference on Field- puters and Electrical Engineering, 31, 361-379.
Programmable Technology (FPT) (pp. 311-314).
Wang, X., Yin, Y. L., & Yu, H. (2005). Finding col-
McLoone, M., McIvor, C., & Savage, A. (2005). lisions in the full SHA-1. In Advances in cryptology,
High-speed hardware architectures of the whirlpool th
5 2 AnnualInternationalCryptologyConference
hash function. In IEEE International Conference (LNCS 3621, Santa Barbara, CA pp. 17-36).
on Field-Programmable Technology (FPT) (pp.
Xilinx Incorporated. (2006). Silicon solutions—
13-18).
VirtexseriesFPGAs. Retrieved October 10, 2006,
Menezes, A. J., Van Oorschot, P. C., & Vastone, from http://www.xilinx.com/products/
S. A. (1997). Handbook of applied cryptography.
Yiakoumis, I., Papadonikolakis, M., Michail, H.,
CRC Press.
Kakarountas, A. P., & Goutis, C. E. (2005). Ef-
National Institute of Standards and Technology ficient small-sized implementation of the keyed-
(NIST). (1995, April 17). SHA-1 standard, secure hash message authentication code. In IEEE502
hash standard (FIPS PUB 180-1). Retrieved April International Conference on “Computer as a tool”
17, 1995, from http://www.itl.nist.gov/fipspubs/ (EUROCON) (pp. 1875-1878).
fip1ht
. 1 08 - m
National Institute of Standards and Technology
(NIST). (2002, August 1). SHA-2 standard, secure kEy tErMs
hash standard (FIPS PUB 180-2). Retrieved August
1, 2002, from http:csrc.
/ nist.gov/publications/ fips/
Cryptography: In modern times, cryptography
fips1fips1
/2 0 8 - pd
2. 0 8 - f has become a branch of information theory, as the
mathematical study of information and especially
National Institute of Standards and Technology
its transmission from place to place. Cryptography
(NIST). (2005, December). SP800-77, Guide to
is central to the techniques used in computer and
IPSec VPN’s. Retrieved December 2005, from
network security for such things as access control
http://csrc.nist.gov/publications/nistpubs/800-77/
andinformationconfidentiality.
sp800-77.pdf
DSP48 Slice: DSP48 slice is the basic building
New European scheme for signatures, integrity,
block of XILINX VIRTEX-4 FPGAs.
and encryption (NESSIE). (2004). Retrieved March
2004, from https://www.cosic.esat.kuleuven. Field-Programmable Gate Array (FPGA)
ac.be/nessie Device: FPGA device is a semiconductor device
used to process digital information, similar to a
Pramstaller, N., Rechberger, C., & Rijmen, V.
microprocessor. It uses gate array technology that
(2006). A compact FPGA implementation of the
can be reprogrammed after it is manufactured,
hash function whirlpool. In 14th ACM/SIGDA In-
ratherthanhavingitsprogrammingfixedduringthe
ternational Symposium on Field-Programmable
manufacturing—a programmable logic device.
Gate Arrays - FPGA (pp. 159-166). ACM Press.
Sklavos, N., & Koufopavlou, O. (2003). On the
hardware implementation of the SHA-2 (256,
System-on-Chip Design of the Whirlpool Hash Function
0
Section II
Security in 3G/B3G/4G
Chapter XVIII
Security in 4G
Artur Hecker
Ecole Nationale Supérieure des Télécommunications (ENST), France
Mohamad Badra
NationalCenterforScientificResearch,France
AbstrAct
The fourth generation (4G) of mobile networks will be a technology-opportunistic and user-centric
system combining the economic and technological advantages of different transmission technologies to
provide a context-aware and adaptive service access anywhere and at any time. Security turns out to be
one of the major problems that arise at different interfaces when trying to realize such a heterogeneous
system by integrating the existing wireless and mobile systems. Indeed, current wireless systems use
verydifferentanddifficulttocombineproprietarysecuritymechanisms,typically - relyin
ated user and infrastructure management means. It is generally impossible to apply a security policy
toasystemconsistingofdifferentheterogeneoussubsystems.Inthischapter,wefirstbr
security of candidate 4G access systems, such as 2/3G, wireless LAN (WLAN), WiMax, and so forth. In
thenextstep,wediscussthearisingsecurityissuesofthesysteminterconnection.We
logical access problem in heterogeneous systems and show that both the technology-bound, low-layer
and the overlaid high-layer access architectures exhibit clear shortcomings. We present and discuss
several proposed approaches aimed at achieving an adaptive, scalable, rapid, easy-to-manage, and
secure4Gserviceaccessindependentlyoftheusedoperatorandinfrastructure.Wethe
requirements on candidate systems to support such 4G security.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in 4G
Table 1. Ten years cycles in the mobile networks (from a European view)
Year Milestone Cycles
198 Commercial deployment of NMT: 1G start
1982 CreationofGroupeSpécialMobileatCEPT
1G to 2G: 10 years
Security in 4G
wide-range (GSM 900) and dense-area (GSM Table 1 summarizes the history of the PLMN
)90 18/ deployments respectively. The first development from the European point of view as
commercial GSM services were launched in the presented in Pereira (2000). In particular, it illus-
middle of 1991, thus marking the start of the second trates the repeating approximate 10-year cycles
generation (2G) era. both in the conception phases and in the genera-
GSM was the first completely digitaltion PLMN.lifetimes.
It is thus naturally a revolutionary approach, as
comparedtoitsanalogpredecessors.GSM the defines
third generation of PlMn
a series of improvements and innovations com-
pared to previous cellular networks; aiming for The 3G of mobiles was expected to be the future
anefficientuseoftheavailablespectrum; global secure
standard for the integrated voice and data
transmissions; an improvement in voice quality; communications. 3G was designed in the last de-
a reduction in the cost of handsets (using very cade of the 20th century with the goal to provide
large-scale integration [VLSI]); infrastructure and enhanced wide-range voice and data services. But
management; an ability to support new services; it turns out that it changes little in the actual user
and a full compatibility with Integrated Services experience.
Digital Network (ISDN) and with other data trans- Technically, 3G design mainly aimed at the im-
mission networks. Another basic characteristic of provement of the radio link performance in the 2G
the system is called international roaming, that is, scope. Although the developed standard features
the possibility for the mobile user to access GSM drastically improved data rates as compared to
service even when he/she finds himself/ 2G,herself
from the point of view of the data services the
physically outside the coverage area for which practically offered data rates can be still considered
he/she is subscribed, registering as a “visitor.” scarce. This can be observed in a direct compari-
Provided that the necessary business contracts son to the development of the wired technologies
exist, the roaming is completely automatic. In ad- providing home Internet access. From 1994 until
dition to roaming, GSM offers new user services, 2004, the phone-line Internet access technologies
including data transmission, fax service, and short have evolved from V.34 modems (28.8 kbps) over
message service (SMS). V.90 (56 kbps) to cable (1-2 Mbps shared) and ADSL
Thus, in Europe one completely new standard (originally 500 kbps, 2004 up to 10 Mbps). This
has replaced different existing ones. Almost the means an almost 350-fold increase in 10 years. In
contrary happened in the U.S.: the quasi unique the same period, the data rate of the wireless cel-
AMPS has been replaced by a variety of (at least lular access has not been able to keep up the pace.
partially) incompatible, (partially) digital systems: From the original GSM CSD service introduced in
N-AMPS, D-AMPS (IS-54, IS-136), PCS (IS-95), 1994 and providing 9.6 kbps, the cellular systems
GSM 1900, Omnipoint, and PACS. evolved over General Packet Radio Service (GPRS)
The variety of incompatible networks and the (about 64 kbps in practice) to EDGE/cdma2000
increasing popularity of data services have moti- RTT-1X (typically about 100-130 kbps). The 3G
vatedandmuchinfluencedtheworkonthe (e.g.,third
UMTS) provides about 300 kbps in practice.
generation (3G) of mobiles. In 1992, at the same time This corresponds to a 30-50 fold increase in the
asthecommercialdeploymentoffirstG2 networks same decade. Moreover, the provided data rates
started, the International Telecommunications highly depend on the network operator’s overall
Union (ITU) allocated frequency ranges for the capacity, the number of users in the cell and the
next generation of PLMN (then called FPLMTS) distance to the base station.
thus providing an international common base for However, the relatively limited data rate is not
theG.3 Finally, in 02 the first commercialG3 the only problem of the 3G data service. Because
networks were commercially deployed in Japan. of the vast, national-scope infrastructure, and
many intermediate nodes, the user experiences
Security in 4G
high network latency (e.g., from the point of view ms in order to provide a fair chance of winning
of IP, the whole 3G infrastructure is one link). and a good game experience.
GRPS and EDGE often exhibit network round Furthermore, by its design 3G targets telecom-
trip times (RTT) of 600 ms and more. UMTS munications providers. Like 2G, 3G uses a license
links are expected to be better, but they still have model to prevent random medium access by non-
RTT of about 200-250 ms. The wideband code authorized parties. Since the licenses are expensive
division multiple access (W-CDMA)/high speed (Van Damme, 2002), in reality this implies a major
downlinkpacketaccess(HSDPA)service,defined telecom operator with a mammoth infrastructure
inthefifthrelease,isexpectedtohave morethan
behind everyG3 RAN.Tofulfilltherequirements
100 ms RTT, that is, almost an Internet-level RTT. of such an authority, the 3G RANs are designed
Such high network latencies are inappropriate for to be reliable and manageable and to support dif-
certain application classes: interactive applica- ferent qualities of service. This justifies the h
tions imply latency constraints that typically lie cost of the 3G equipment. At the same time, this
under the 300-400 ms overall RTT proposed by limits the competition on the market to few license
3G (the end system is not necessarily within the holders who not only have invested a lot in the
UMTS backbone and thus the typical Internet infrastructure but also have paid a high price for
RTT of about 100-200 ms has to be added to the the license. The operators have to amortize this
3G latency). For example, voice over IP (VoIP) fixedcostandthecurrentvariablemaintenancea
and similar applications (videoconferencing, management cost over the user services provided
etc.) require an RTT to be under 250 ms; in some by the infrastructure. Thus, 3G RAN access is
existing popular interactive online games (e.g., id likely to remain costly. It is unclear if attractive
Software’s Quake, etc.,) the maximal acceptable unlimitedat- fl linepricingmodels(likeinxDSL)
RTT to the game server is required to be under 100 are applicable to such infrastructures. Current per
Security in 4G
byte (or even per minute!) pricing seems hardly cated thoughts about beyond 3G (B3G) and 4G
suitable for the always-on paradigm. systems appeared in the international research
A consequent national-scope investment is press about 2000-2001 (Bria et al., 2001; Evans
needed for 3G advantages to materialize (both for & Baughan, 2000; Pereira, 2000; Raivio, 2001;
usersandforproviders)This . ishowever difficult
Varshney Jain,
& that
, ) 1 02 is,justbeforethefirst
to afford, especially in developing countries where commercial 3G networks were deployed in Japan.
big investments are particularly risky. In a focused In 2000, the WRC allocated 3G extension bands,
coverage, 3G comes at a very high cost per bit which were to be used in the B3G scope. All this
compared to other, more data-centric technologies corresponds to the 10-year cycles illustrated in
like local or metropolitan area networks. That is one Table 1.
ofthereasonswhytheG3 systemshadadifficult Continuing along this line, the concrete shapes
start. They are primarily being deployed in Japan, of4Gshouldbeclarifiedbytheendof027and
South Korea, Taiwan, Hong Kong, Indonesia, a few theactive4Gvisionrefinementshouldstartabou
countries of South America, Australia, New Zea- 0.28- 7 This should be finished roughly by
land, western Europe, and North America (CDMA 2010, with several detail issues being addressed in
Development Group, n.d.; GSM Association, n.d.). thefollowingyears.Thefirstcommercialsystems
Figure 1 (GSM Association, n.d.) summarizes the could then be operational by 2012. However, this
actual and planned commercial launches of the presumes that no additional delays occur.
3G system from the 2004 European point of view
(W-CDMA/UMTS). It shows that the developed Possible delays
countries prevail.
Although the slow 2G-3G transition process At least in Europe and in the U.S., the 3G deploy-
started in 2003-2004, so far the 3G systems do ment seems to be delayed. Indeed, by the end of
not seem suitable to provide a broadband data 2004, not all western European countries started
access service deployment. In the developed the 3G deployment. Also, the deployment process
world, these are often considered technologically is starting quite slowly, often being limited to some
inadequate (users perceive it as a better 2G). For few centers. The critics of 3G claim that the rea-
the developing world, the technology needs major sons for this could be in the developed technology
investments.Thus,anew,moreexible fl technology
itself. Indeed, one could argue that 3G (in Europe:
is necessary, allowing new usage scenarios and UMTS) is too complicated and too costly to become
business models. successful. One could also criticize the fact that
the original goal of creating one common global
the Anticipated 3g to 4g transition standard has not been achieved since different con-
current versions of 3G are being standardized and
In regards to 3G, the observed 10-year cycles seems deployed, in some extreme cases within the same
to continue. The first research concepts countryaiming
(e.g., Japan has deployed both cdma2000
at 3G appeared about 1989. The spectrum was and W-CDMA). However, the deployment of the
reserved by ITU-R’s World Radiocommunication alternative technologies (like e.g., 802.11 hotspots
Conference (ITU-R Radiocommunication Confer- or WiMax) also lags behind the expectations that
ence,that
, ) 29 1 is,atthesametimeasthefirst haveG2 predicted a WiFi-boom and hotspot number
networks were deployed. The active technological explosions by 2005, which so far have failed to
development of 3G started with the creation of the become true. There is no doubt about the popular-
UMTS task force in 1996 and culminated in the ity of WiFi. However it is not booming, it is being
UMTS decision in 1999. The largest parts of the carefully developed. The real reasons thus could
standards were accomplished by then. be either of a social (e.g., a simple current disinter-
Consequently,thefirstprojects fourth naming est in mobile data) or of an economic nature (too
generation4G)( startedinand 91 thefirst
- dediin deployment, too risky for operators; too
costly
costly, too complicated for users, etc.).
Security in 4G
Security in 4G
The obviously challenging scenario is to provide Big telcos will try to reduce their service cost by
users with a bidirectional communications possi- integrating alternative transmission technologies
bility to their personal Intranets independently of as radio access networks (RAN) into their 3G
their location (anywhere), thus combining the two infrastructure (e.g. UMA-like). However, this
topics discussed previously. These WAN/MAN/ integration will still be much more complicated
LAN/PAN spanning communication sessions have and costly than a new deployment possible for a
to be secure, reliable, and economically reasonable. small wireless internet service provider (WISP).
Also, communications become ubiquitous. The At the same time, the small WISPs will encounter
used technology needs to be able to reply to this increasing management problems with the grow-
challenge, providing the best available connection ing user basis and the user traffic. It will hardly
anytime, any place. Existing standards do not al- be reasonable to add a 3G infrastructure upon the
low for this usage. existing one as the control plane. Given the lack of
However, it is not a matter of contention between standardized methods, the alternative infrastruc-
these existing standards. They are more and more tures are thus likely to be managed in a proprietary
understood as complementary. Indeed, the WLANs way,requiringspecificaccessmethods.Thiswill
can easily provide a true LAN experience in limited produce the demand for standardization.
areas at a low cost while 3Gs RANs are designed Because of the true need for mobile broadband
to provide true mobility, quality of services and data access and the scarce spectrum of 2G, the 3G
vast coverage. The idea to try to integrate both will be eventually deployed in the business centers
technologies is thus straightforward. of the developed countries despite the currently
Taking into account the previously observed observed delays. In Europe, this process could be
cycles and the current delays, we could try to com- further promoted by governmental policy in some
pile a prognosis on the B3G and 4G development countries planning to partly reimburse some license
in the next decade. The current situation and our fees. However, the delays and the high license fee
forecast are illustrated in Table 2. (Van Damme, 2002) have already motivated the
The convergence between the different in- development of and the investments in the alterna-
frastructures will start because of the economic tive transmission technologies, for example, IEEE
and technological limits of the used technologies. 802.11 and IEEE 802.16.
Table
Table 2.
1. Possible 3Gdevelopment
Possible 3G developmentin in
thethe
nextnext years
years
Year Milestone Cycles
2003 European 3G start
Until
Different 4G visions and early 4G research projects
2005
2006 3G deployment in all business areas in the developed world
3G to 4G: 10 years
Security in 4G
This development, if commercially success- (e.g., 4G forum) that will be given the task of 4G
ful, will lead to a situation with several parallel system standard development. Based on the situ-
infrastructures installed in the European centers ation and the previously accomplished research, it
by 2008-2009. While the 3G infrastructures will could produce mature system drafts by 2012 and
be homogeneous, they are likely to remain more the first commercial 4G deployments could start
expensive. The alternative offerings will be cheaper about 2014.
but are not likely to provide neither the same service
quality nor the same coverage. Because of the re- our 4g vision
quired spectrum licenses, the same national-scope
operators will own the 3G systems. The alternative Our vision is motivated by the previous work and
technologies are license-free and thus enable a free the ongoing development of the global telecommu-
network deployment. These can be owned by both nications networks, in particular of the Internet. It
global big telcos and small local WISPs. respects the fact of the proliferation of the Internet
Users will buy newer products equipped with technology in all telecommunications branches
further wireless technologies. Deploying these and is similar to the All-IP approach when used
products at home, users will be interested in access- for data transport.
ing the combined service offers. Different devices Learning from 2G and 3G experiences, 4G
will be capable of several access methods (e.g., a envisages an architecture that allows the maxi-
wireless ADSL router). Users will be incited to mum possible infrastructure reuse. The idea is to
open their hotspots for the usage by the others. For minimize a risky engagement with a particular
instance, a major French telecom provider proposes technologyandtoguaranteethelong- - termexibil
fl
a reimbursement plan for its ADSL users if they ity for the involved authorities. We believe that the
provide WLAN access to its cellular customers over versatilityherecanprovideanenhancedexibili fl
such devices. At the same time, alternative technol- both technologically and from the business point
ogy operators are forming roaming organizations of view. This ultimately market-driven solution
and user communities, aiming for the same results should be capable of providing any service in any
(see WeROAM, Fon communities, etc.) manner, restricted solely by user’s demand and not
Meanwhile, the research will push towards uni- by any technological factors.
fiedandconcreteB3Gand4Gviews.Toprotectthe
investments, the deployed alternative infrastruc- From Service-Centric to Data-Centric
tures are likely to be given the necessary attention Approaches, from Technology-Centric to
in this development process. The result will likely
User-Centric Approaches
be a system providing for a convergence between
the different technologies.
The classic telecommunications industry ap-
While the new 4G architecture is being con-
proach dominated by the national-scope telecom
ceived and is maturing technologically, 3.5G sys-
operators with the well-managed infrastructures
tems are likely to appear on the market by 2010 at
currently cannot provide a cost-effective focused
thelatest,fillingthegapbetweenLAN-experience
access to Internet services. This is particularly true
and manageable. These updates of the radio link
for the developing countries where neither new
and of the backbone infrastructure could provide
installations nor massive updates of the existing
the basis for the later expected 4G much in the
infrastructure can be afforded.
same manner as GPRS/EDGE (2.5G) have required
In its initial collaborative work, the telecom-
and accomplished the necessary infrastructural
munications industry was much influenced by
changes for the transition process from 2G to 3G.
the dominating demand for the voice telecom-
The commercial and technological convergence
munications. The 1G and 2G systems were origi-
and the available B3G systems will provide the
nally designed to provide one single service: the
drivers for the establishment of an industry group
mobile voice telephony. Their system design was
Security in 4G
service-oriented. As a result, the conceived core available service. Choice, as the driving factor for
infrastructure is circuit-oriented and the wireless the competition, plays a crucial role in this scope
link’s capacity is tailored to the voice-implied since it results in better and cheaper technology.
bandwidth requirements. Due to these properties, From the system’s point of view, the resulting
2G currently provides a reliable voice service; it is overall architecture delivers very different ser-
howeverquitedifficulttoreusethisvices infrastructure
through completely heterogeneous access
for other purposes. However, deploying a new networks (ANs). User-oriented design has to cope
infrastructure for every service is not scalable with the question how to manage the system and
and financially impossible. Especiallyhow with the user services with an expected
to provide
modern digital technologies, it is much more quality. The management is important because a
efficient to reuse the same infrastructure - for difreduces the operational costs.
good management
ferent services. The provision of the expected quality is the main
3G development is an example of a network- factor for the user satisfaction.
oriented design process (sometimes also called Such architecture could help to achieve more
operator-oriented design). It is a step ahead from infrastructuralandarchitectural - exibility
fl p
the service-oriented design of the 2G system since ing a free technology choice for the local operators
it explicitly provides for infrastructure reuse for andthus,inthefinalrun,reducingthecostsand
various services. Principally aiming at opera- offering more choices for the users. By featuring
tors and networks, such design tries to respond more exibility,
fl this step to further - diversifica
to operator’s management requirements. It thus tion gives new opportunities and could help, for
specifies parts of the network core, producing example, to reduce the cost or to mitigate some
homogeneous technologies comprising everything aspects of the digital divide problem.
the operator has requested. According to this design At the same time, this task is not technologi-
paradigm, the 3G technologies deliver voice and cally simple. As could be seen from the previous
data within the same infrastructure. In presence examples, the service-oriented design approach is
of an existing voice-oriented 2G infrastructure a straightforward technological way to conceive a
this renders the only added service—the mobile network dedicated to the needs of one single ser-
broadband data—quite expensive in itself. The vice. Provision of more services within the same
operators have to amortize the network deployment infrastructure makes it more difficult to assu
and the license cost over the new service. Thus, that every service individually is provided in a
from the user’s point of view, this new service is satisfactory way. We can generally allege that the
often perceived as too expensive. QoSinthemulti-servicesnetworkismoredifficult
To be able to provide cost-effective data ser- to maintain because very different requirements
vices at any chosen place in the world we need have to be fulfilled by the same infrastructure
more user-oriented and data-centric approaches Yet, owing to this common homogeneous infra-
than what 2G and 3G paradigms deliver. At least structure, with the network-oriented design it is
in the mid-term, the hope here lies in a more op- still relatively easy to conceive systems enabling a
portunistic approach from the technological point comprehensive network management. The neces-
of view. Indeed, the user typically does not care sary dynamic infrastructure-to-service adaptation
about who provides a particular service and how. e.
( g., for QoS) can then be achieved using the
The user cares about the availability of services, integrated management functions.
their performance (throughput, latency, etc.), the The step to the user-oriented design potentially
quality of service QoS) ( i.
( e. the performanceimplies a broad diversification of data transpo
and the variation of the performance factors), the technologies providing different services. Thus,
ease of use, and service prices. Accordingly, the the resulting systems inherit the problems of the
user-oriented design tries to respond to these user dynamicper-serviceQoSprovision.Additionally,
wishes assuring the possibility to freely choose an we run into difficulties trying to consolidate a
0
Security in 4G
these different technologies and make them do what It is composed of a panoply of service provider
the operator wants. This applies to the network networks (SPNs) connected by an IP-based core
management in general. In particular, it concerns network for any global data exchanges. SPNs
thementionedQoSprovisionproblematic andalso
principally support different wireless ANs. AN
raises diverse security considerations, both of the technology can range from personal to wide area
operators (infrastructure control and protection, networks.
resource usage control, accounting and billing) Each provider may, but is not required to, have
andofusersdata ( confidentiality,location its ownprivacy,
users and propose multiple services over
awless
fl billing). differentANs.Usersaredefinedaslogicalsystem
Hence, the user-oriented design opens new pos- identities subject to the service contract between
sibilities but potentially results in a heterogeneous two legal bodies, one representing the provider
environment. To be deployed and maintained by and the other representing the served user. This
the operators, this environment needs to be un- definition implies that every user correspond
derstandable, manageable, exible, fl and
tosecure.
a service contract with exactly one provider.2
To be used, it needs to be user-friendly, reliable, Note that this contract requirement does not imply
and fair. In particular, users should be able to use any price models or restrictions. Since every user
different services over different infrastructures in corresponds to one legal body, we use these terms
the same, familiar manner. interchangeably in the rest of the document unless
Thus,weneedtodevelopmoreexible fl - infra
explicitly distinguished.
structures and more sophisticated mechanisms for The service contract provides the trust relation-
infrastructure access incorporating but hiding the ship and the set of authorizations. From the user’s
whole technological complexity. These mecha- point of view, the provider from the corresponding
nisms should provide adaptability to both users and service contract is called home provider. If a user
contents. Here we concentrate on heterogeneous usesaprovideronlyforuseridentification, - autho
network access mechanisms and the necessary cor- rization, and billing services, we call this provider
responding network management functions in the a virtual operator3 (Zhang, Li, Weinstein, & Tu,
scope of the future integrated environments. 2002). Virtual operators (VOs) can but do not need
to have their own infrastructures. Typical VOs are,
Multi-Provider Network Environment for example, 2G or 3G providers (because of their
existent user database), miscellaneous resellers
For 4G, the accent lies on users and the requested but also credit card issuers, banks, public remote
services (Pereira, .)02 For the exibility fl and
authentication services, and so forth.4
cost reasons, the 4G architecture has to be able to Providers may (but are not required to) serve us-
integrate different technologies to provide services ers for whom they are not home providers. Providers
to users. Services are divers offerings, commercial may propose access to services in their own and in
or free, ranging from a basic connectivity (e.g., to other infrastructures (e.g., in the Internet or in user’s
the Internet) to more sophisticated services such as home network). The necessary network intercon-
voice calls or instant messaging (IM). To provide nection can be based upon private infrastructure
more complex services, some providers can use interconnections of several providers or it can be
services proposed by other providers. based on a public backbone like the Internet. This
We see 4G as a potentially open, heterogeneous, and other definitions, for example, service level
user-oriented architecture, consisting of different agreements, price agreements, mutual agreements
service and ANs. These networks are operated on user authorization in visited networks, and so
by different authorities. We call such authorities forth are subjects of so-called roaming agreements
service providers1 if access to services is possible signed between the legal bodies representing the
over their respective infrastructures or networks. providers. Using these roaming agreements, pro-
The global 4G architecture is shown in Figure 0-1. viderscanverifyidentitiesandprofilesofvisit
users whom we call visitors.
Security in 4G
SPN A SPN B
IP backbone
PDP
SPN C SPN D
PDP
PSTN
WLAN C or LAN
Legend
Data traffic
Control traffic
PEP PDP PDP
SPN C Service Provider Network C
Security in 4G
management purposes such as proprietary console the overlay access module that will implement
or Web-based management, SNMP (Case, Fedor, 4G signaling, 4G management, 4G security, 4G
Schoffstall, & Davin, 1990), COPS (Durham et transport, and so forth functions. An example for
al., 2000), GMPLS, and so forth. such architecture would be the well-known All-IP
approach discussed in the following sections.
Possible Approaches to 4g
Common Access Protocol
On a high abstraction level, three approaches to
4G are theoretically possible 4G (Varshney & The third possibility is to unify the access protocols
Jain, 2001). of the wireless networks, thus enabling users to
access the 4G network by some standard means.
Multimode Devices This possibility implies separation of the transport
and the control planes. Further, it is necessary to
Multimode devices (which already exist on the identify technology-specific functions that are
market, e.g., GSM/WiFi phones, PDAs with 802.11 part of the control plane. These functions have
WLAN, Bluetooth and GSM access modules, tobeexternalizedandreflectedbyanabstractio
smartphones with Bluetooth capabilities, etc.) eas- layer/abstraction application program interface
ily expand the effective coverage area managing the (API) that could then implement this common
cooperation issues by the installed software. This access protocol.
concept pushes the 4G connection management Note that this list is exhaustive (meaning that
complexity to the terminals, that is, it does not there are no other possible approaches to an in-
require any additional complexity in the wireless tegrated 4G system in the sense of the previous
networks. However, the terminal equipment has section). However, the mentioned alternative ap-
to integrate operational logics including not only proaches are not necessarily mutually exclusive. It
every technology-specific treatment but also the
is imaginable to have some combinations of these
translation of quite different technological param- generalhigh-levelapproachesinafinalsolution
eters to be able to make decisions. It is not clear In the following, we present some of the proposed
if this can be done in an economically reasonable 4G architectures classifying these according to the
fashion for multiple, very different technologies, in previous scheme.
particular taking into account the vertical (in the
senseoftheISO/OSImodel)complexityofQoS,related work
security, and mobility management.
Related Work on G Architectures
Overlay Networks
In Raivio (2001) the author discusses the currently
Another possibility is the installation of an overlay most popular approach to 4G. This approach is
network of 4G access points situated above the based on a common Internet core for different
actually available wireless networks. Note that in networks, unifying everything over IP and the
this approach the devices will still need to have related Internet Engineering Task Force (IETF)
several network interfaces to be able to access technologies. With respect to this so-called All-IP
the entire infrastructure. The distinction lies in (sometimes Full-IP) approach, the author briefly
the additional complexity, which is completely discusses the possibilities and the deficienci
shifted to the overlay. The requirements on the the concerned IETF protocols including the authen-
underlying technology are minimal. The overlay tication, authorization, and accounting framework
hastodefinethenecessarysignalingand transport
(AAA), Mobile IP, IPv6, IPsec, and SIP. The author
functions. Besides the physical access to the used points out that this approach is straightforward but
technology, the wireless device has to implement also problematic in terms of QoS, security, and
mobility management.
Security in 4G
The presented All-IP idea is the current state same quality as is the case in 3G. The authors
of the art approach in the high-level 4G research. claim that the networks beyond IMT20005 should
Intheclassificationgivenintheprevious be muchsection,
more location-registration oriented and
All-IP represents an overlay network approach. should identify the location registration manage-
The IP network is used as an overlay that integrates ment as a study topic. For instance, hierarchical
different technologies. IP technologies are used for or concatenated location registration techniques
both control and transport planes. IP base stations have to be studied. Then they discuss handover
are used as access points in that 4G vision. issues distinguishing local handovers and overall
In Otsu, Okajima, Umeda, and Yamao (2001) network handovers and identify this feature as a
the authors research a possible core network design further study object.
for 4G systems. Describing the current situation Trying to provide an infrastructure-independent
of the telecommunications and the predominance access to services and applications for highly mo-
of IP-based applications, they give an outlook bile users, Kellerer, Vögel, and Steinberg (2002)
on estimated traffic in the future generation present a solutionof
based on a communication gate-
wireless systems. Then they discuss possible way. Originally driven by an automobile environ-
wireless transmission characteristics in terms of ment, the basic idea is to install an intermediate
transmission bit rate, spectrum, area coverage, and element between the actual user equipment and
hierarchicalserviceareaanddefinesuch network
the serving networks. From the network point of
requirements as seamless connections, reduction view, such a communication gateway thus resides
in the number of control messages, short delay at within the end-system. Including caching and
handover, reduction of cost per bit, service integra- switching units, the gateway provides a general
tion based on IP, and movable network support. middleware interface to the applications. Thus,
Thenetworkarchitectureisthen core defined asa pushes the intelligence towards the
this approach
network (CN) connecting different ANs like a end-systems, trying to map user requests at their
future, yet-to-be-defined 4G-RAN, and already origin to available networks and services. In our
existing WLAN, 3G, and PSTN to the Internet. classification, this proposal represents the mu
CN and 4G-RAN are completely IP-based. The mode device approach.
terminals have IP-addresses assigned. The CN is Becchetti, Priscoli, Inzerillli, Mähönen, and
directly connected to 4G-RANs and the Internet Muñoz (2001) take a slightly different approach.
and uses gateways to connect to the public switched Mainly dealing with QoS support over - differ
telephone network (PSTN) and 3G. Mobility man- ent wireless infrastructures, they define a ne
agement is done by using the hierarchical Mobile intermediate layer between the IP and the second
IPv6 approach. Additionally, the article discusses layers. This wireless application layer (WAL) then
some issues in the 4G-RAN configuration. provides
In aQoS-genericinterfaceforIPfeaturing
other words, this proposal is an instantiation of uniform guaranteed link reliability and traf
the All-IP approach. control. The position of WAL in the ISO/OSI
Another All-IP proposal is discussed in Yu- model implies a hop-by-hop QoS agreement
miba, Imai, and Yabusaki (2001). The recognized logic. The details on the modular architecture of
requirementsherearehuge(IP-multimedia ) WAL,its classandassociationbased
traffic - QoSprovi
handling, advanced mobility management (MM), sion, Snoop TCP method to avoid congestions in
diversifiedradioaccesssupport,seamless the TCPservice,
layer can be found in the paper. In our
and application service support. The authors then classificationthisproposalisanoverlaypropos
discuss possible solutions for MM and seamless since WAL instances have to be integrated in the
services and name Mobile IP, Cellular IP, and terminals and in the access points. IP is used as
similar techniques. However, they recognize the a general transport in the All-IP manner, but the
deficienciesofsuchsystemssincetheyare hardlyheterogeneity is hidden within the
technological
suited to provide a mobility management of the WAL, which acts as a convergence sub-layer. WAL
Security in 4G
instances rely on SNMP to build the necessary authentication has to be completely restarted at the
decision bases and so forth. next visited PAA (even within the same network).
Such mechanisms could be a L3 (i.e., in the 4G
Related Work on G Security scope typically IP) context transfer protocol that
would allow arbitrary context transfers between
The user verification and network - access inPAAs.
different hetIETF will shortly publish its con-
erogeneous environments represents one of the text transfer protocolCTP) ( specification(Nakhjiri
major 4G problems. This is discussed later in Perkins, & Koodli, 2004) as an experimental
detail. One of the problems is the access protocol standard. However, the payload formats for CTP
but there are only some open questions concerning havetobespecifiedtoo.
the back-end trust architectures and multi-domain, The work on the public access wireless networks
multi-party AAA. (PAWNs) can be interesting in the 4G scope since
An interesting related work seems to be Zhang it has to practically resolve several problems very
et al. (2002). Introducing the concept of a so-called similar to the anticipated 4G problems. PAWNs are
virtual operator, the authors describe how an typically implemented with IEEE 802.11 technol-
authentication service reachable over the Internet ogy. Since the integrated 802.11 mechanisms are
could authenticate its users in a foreign hot spot insufficient for almost all typical PAWN areas
environment using AAA. As potential virtual (per user quality of service, system-wide mobility,
operators the authors see ISPs, content providers, security, user network access, etc.), the solutions
cellular operators, or pre-paid card issuers. To proposed for PAWNs are typically completely
reduce the number of necessary trust relationships decoupled from the underlying technology. Hence,
between potentially numerous hot spot operators the practical experiences gained in such installa-
and diverse virtual operators, the authors propose tions are of tremendous importance for the 4G
a commonly trusted broker entity. research.
IETF currently works on the protocol for car- An approach for WLAN hot spots providing
rying authentication for network access (Forsber, a secure wireless Internet access in public places
Ohba, Pati, Tschofenig, & Yegin, 2003) in its PANA is Microsoft’s CHOICE (Bahl, Balachandran, &
working group. PANA specifies an architecture Venkatachary, 2001). The authors build a network
very similar to the IEEE 802.1X architecture used that globally authenticates users and then securely
in this work for LAN/WLAN access. PANA is connects them to the Internet via a serving 802.11
link layer agnostic transporting authentication WLAN. A reasonable argumentation against IPsec
information between the PANA client and PANA for this purpose can be found in the publication.
authentication agent at higher layers. Since it is Introducing a new software module (PANS) instead
principally capable of identifying users, PANA of IPsec, the architecture promises authorization,
could thus be used as a common access proto- access control, privacy, security, last hop quality
col to heterogeneous networks. However, since of services, and accounting. However, this soft-
PANA has to access a higher level element, the ware (responsible for packet marking on mobile
L2 mostly remains unprotected. Also, after the hosts) has to be installed on all mobile terminals,
(unprotected) L2 establishment, the local PANA effectively modifying protocol stacks. The WLAN
client needs to discover its network’s pendant, the itself is open but does not allow any connections
PANA authentication agent (PAA). This involves to any other networks, except for HTTPS con-
discovery broadcasts and round trips. PANA here nections to the global authenticator (global MS
nicely illustrates the problems inherent to higher Passport service) and HTTP to the local Web
layer network access: questionable security, holes server where, for example, the software module
in the access controllers, broadcasting in the access can be downloaded. Network’s PANS authorizer
phase, and high network access latency. module obtains key information from the global
Besides, PANA does not optimally support authenticator after successful user authentication.
mobility: Without additional mechanisms, the The authorizer can also install all required policies.
Security in 4G
Security in 4G
environment where a mutual preliminary user- come an important accessory and manufacturers
network trust does not necessarily exist and must are doing their best to render them more portable
be established by some means (typically involving and more powerful at the same time. It is obvious
management subsystems and signaling before the that these devices have become an interesting
useridentitycanbeverified). target for thieves. Thus, physical device security
The serving network protection is one of the is an important but insufficient subject. Mobile
critical points to ensure service continuity and handsets can store important personal user data
investment in new infrastructures. From the secure (address books, access codes, professional data,
mobility discussions (such as Mobile IP security), personal medical information). Remote device
we know that visited networks are often overex- deactivation, blocking, and erasure seem important
posed to resource consumption and denial of ser- future security features.
vice. In our 4G vision, an SPN has to be protected A 4G user needs a particular protection to
from the users on the user-network interface and ensure his/her anonymity and an offer-consistent
from the outer world on its backbone interface(s), and verifiable billing. Without any protection, in
including protection from other providers. an international multi-provider 4G environment,
a user can be an easy target for both price fraud
User Vulnerabilities (charging wrong prices, charging incorrect usage)
and user tracking.
As a wireless user is vulnerable to unauthorized
data access, traps/impostors, and desinformation, Heterogeneous security
the user must be protected from abuse by third
parties and from the part of the serving SPNs. Current wireless technologies have different se-
Given a rising part of the M2M communications curity considerations and provide corresponding
and the wish for infrastructureless communica- securitydefinitionsinthestandards.Thelatte
tions, the user device is also vulnerable to attacks naturally dedicated to the respective link layer and
by other devices involved in the provision of the thus concentrate on the implementation within the
consumedservicesimpostors, ( datamodifications,
network interface cards, adapters, and so forth. In
datasniffing,man-in-the-middle)andbydevices 4G, different link layer technologies are likely to
consuming services provided by the user device coexist for the reasons explained in the previous
(denial of service, abuse). sections. Also, the focus changes: in the personal
Connected to multiple interfaces over several communications the security focus should be on
providers the device is naturally multi-homed. It users, not on network devices.
is potentially exposed to all attacks over the es- The problem with the characteristic 4G secu-
tablished connections, including malicious code rity is twofold. On the one hand, there are very
intrusion (viruses, spyware, and worms). basic open questions that have to be answered
User vulnerability includes headset vulner- by the ongoing research by weighing practical
ability. A typical 4G headset featuring several constraints against the required security level.
active interfaces is naturally exposed to different What is security in 4G if we do not know what
kinds of attacks, such as attacks on device drivers 4G looks like, what services it is supposed to
of the communication interfaces, attacks against provide, and in which environments it is going
the transport and signaling communication stacks, tooperate?Thesystemarchitectureiscrucialf
and attacks against all services potentially provided the security considerations. Additionally, we need
orassistedbytheheadsetitselfe. ( g.,file
trustsharing,
and threat models. What are the capabilities
localization, auto-update). An important and of- of potential attackers? Which ANs will be used
ten forgotten point is device theft. Today, mobile andhow?Trustmodelsshouldcorrespondtothe
devices are trendy and, having a rich and versatile probable usage scenarios. For instance, if users are
feature set, can be quite expensive. They have be- not “owned” by providers (Pereira, 2000), how can
Security in 4G
trustbeestablishedandtowhom?With allthat,
protection a
and revenue guarantees. Moreover, the
consistentsecuritypolicyhastobedefined L2 security along
measures are often implemented in the
with the security architecture, identifying technol- network interface hardware. Their design includes
ogy-independent subjects, objects, relationships, power consumption and computational resource
authorizations, threats, and protective measures. considerations. A higher level solution would be
This is however difficult and defines aimplemented problem in the device control logics, that is,
known as heterogeneous security). typically software. Given the constraints with the
On the other hand, there are practical problems 4G terminals (wireless security processing gap), it
concerning the technical applicability of solutions. would be wise to use the hardwired security solu-
The security solutions proposed by the wireless tions in the network adapter. Furthermore, in the
technologies are limited to the identified needs.
OSI logic, multiple links could lie between the user
They are thus different from technology to tech- and the used L3 device (router), but only one link is
nology reflecting its expected usage. Very often,
possible between the user and any used L2 device.
theyfailtofulfillthesecurityrequirements, - Thus, the L2typi security measures are guaranteed
cally because of conceptual or implementational tobeimplementedinthefirstnetworkentityth (
aws.
fl Buteveniftheirimplementationaccess iscorrect,
device), that is, next to the user, at the very
their scope is naturally wrong: as access security, edge of the network. That brings the security as
they aim to provide link security, but ultimately close to the user as possible and thus guarantees
providers need service access security and users physical infrastructure protection. Moreover, it
need personal data security. potentially scales better since the access devices
How can the defined security policy for arethedesignedtosupportafixednumber - ofconnec
entire system be applied and enforced to all system tions, including the connection properties to be
entities given that the available solutions are differ- enforced. Another point is that higher level security
ent,potentiallyawed, fl andlimitedtosystem solutionsparts?
cannot achieve the same user privacy. For
Forinstance,ifthesecuritypolicyidentifies instance, userlink
location privacy is in danger since
encryption as a necessary confidentiality - imple
lower layer addresses (such as world-wide unique
mentation, how can this be universally activated MAC addresses) cannot be hidden by higher layer
andwithwhichkeysandproperties?How canwemeasures.7
security
guarantee an adequate, comparable strength of the For reasons stated previously, we think that L2
differentencryptionmechanisms?Whatsecurity todowith is indispensable in 4G. This is by the way
the technologies that do not provide link encryp- also the most characteristic point of 4G: whatever
tion?Thesecuritypolicymustconsiderthe these cases
4G vision, everybody seems to agree that 4G
and provide answers to such questions. will be technology-opportunistic, incorporating
different wireless ANs in one system. The network
4g security layer access security is thus one of the major challenges,
typical and characteristic for 4G.
The aforementioned practical problems with the 4G
security can be avoided if the technology-depen- nEtwork AccEss sEcurIty
dent security measures are not used. Instead, all
security measures could be applied in the overlaid A particular security problem is bound to the user
technology. However, it is often insecure or at network access. The 4G user has a terminal with
leastinefficienttoenforcesecuritymultiple inthe overlay.
network interfaces. The security measures
For example, 2G/3G network providers rely on for each interface have been designed according
L2 security measures for network access control, to an initial security analysis during the technol-
frame integrity and link encryption. While the ogy standardization phase. Since the technologies
link encryption is not important for the provider, are meant for different purposes, the risks and the
the access control is primordial for infrastructure definedsecurityfunctionsarelikelytobedifferen
Security in 4G
Thesecuritymechanismsaredefinitely different.
vice setidentification(SSID) naming in the 802.11
Thus, every interface has different requirements on WLANs. Besides, in a dynamic 4G environment
credentials in terms of identities, expiration poli- with the very different proposed services, over
cies, initial trust representation, and so forth. These different technologies and with different prices,
requirementshavetobefulfilledsince it otherwise
is difficult to believe that a network ident
the interface could be unusable or the access by aloneisasufficientbaseforareasonablenetwork
the means of this interface impossible. If the user selection decision.
definitioninthesystemisconsistent,then the4G
In a user-centric environment, the network
user cannot be expected to use multiple identities: selection decision should be made based on
in 4G, every network provider needs to be able to physically available networks and channel quali-
identify any given user correctly, in particular in ties, user identity and user service authorizations
the different ANs, which the user might be using within the encountered networks, and on offered
simultaneously. That is important for the authori- service prices. Especially price display for a
zationsdefinedinthesecuritypolicy.It isequally
given user appears as one of the critical issues in
an important requirement for a consistent billing. a multi-provider environment characterized by
Network access can thus be divided into various continuous roaming between several different
sub-problems that are treated in more details in (big/small, national/local, etc.) providers. Indeed,
following. even in 2G with a typical limitation to a handful
of providers per location (2-8), users traveling to
Network Selection foreign countries have been known to feel badly
informed about pricing of out- and incoming calls.
In the outlined 4G vision, a free service choice is an In 4G with multiple-interface terminals and pos-
important design criterion. To provide that choice, sibly new business models, several providers can
users must be able to collect information on the be used at the same time, possibly offering similar
ANs of all available providers. Most importantly, services at prices depending on dynamic factors
this is required for the decision of which network such as current network usage (per-session price
the user should connect to. For instance, it cannot determination).
be generally assumed that every network is acces- The involvement in such rather complex pre-
sible for every user (e.g., because the user’s home authenticated (Hecker & Labiod, 2004) user-
provider does not have any roaming agreement network signaling represents major risks for both
with the provider of the detected network). network operators (infrastructure intelligence,
Network selection is a problem since some unpaid resource consumption, denial of service)
preliminary network access is necessary prior to and users (localization, tracking). Additionally,
authentication, which however should be limited optimizations are necessary to that recurrent
so as not to contradict the security policy. Net- process, which in 4G can be repeated in-session,
work selection thus represents a security-usability since it can have an important impact on mobility
compromise. performance (vertical handover).
In a dynamic multi-provider multi-technol-
ogy 4G environment, active exchanges (through User-Network Authentication
signaling, like network discovery) are necessary
since the existence of system-wide coherent net- A user-network authentication is necessary from
work identifiers do cannot be relied upon. network These
provider’s point of view to be able to
identifiershaveverydifferentmeanings - indiffer
enforce a reliable access control to its resources
ent technologies. For instance, if a 2G provider and to authorize requested service sessions in its
wants to deploy a supplementary data service infrastructure or at least a transport (connectivity
over an 802.11 WLANs, what should be used as a service) over its infrastructure. It is also required
networkidentifier?Thereisnoregulation ser- on home provider for authorization and
by the user’s
billing.
Security in 4G
From the user’s point of view, network authen- (notably the 802.11i introducing a different security
tication permits to verify the received network model). Nevertheless, this situation exemplifies
identity information, guarantees access to the the normality of a heterogeneous 4G: the secu-
correct environment, and thus permits to establish rity models, the trust presumed relationships, the
trust to the serving provider. It helps to eliminate technical possibilities and the vulnerabilities are
impostors and to protect against man-in-the-middle very different from technology to technology. The
attacks. resolution of this problem must not lead per se to
After the service information collection, some security problems. Thus, if the L2 authentication
networks can be eliminated by policy or user is to be used in the 4G scope, every technology
wishe. ( g.,apre-configurationofthetype“never hastofulfillaminimalcommonrequirementset.
use provider X” or rules like “always choose the Otherwise, higher level security has to be used and
cheapest available service”, etc.) Now, the user can the associated higher level access controllers have
actually access the required services over available to be collocated with the L2 access devices. If that
networks. A reliable user-network authentication cannot be guaranteed, this technology should be
is required at this moment at latest. considered unsuitable for 4G.
The L2 user-network authentication is a prob- From today’s perspective, the requirements on
lem in 4G since the logical and technological the L2 authentication are cryptographic strength,
requirements are very different from technology mutuality, and dynamic key material negotiation
to technology. We illustrate this on an arbitrary for the subsequent session protection. The key ma-
example, comparing UMTS and standard 802.11 terial negotiation should provide perfect forward
security. secrecy (PFS), that is, a successful attack on the
UMTS uses an external module (USIM) that produced key material should not give any clues on
hides the actual authentication method from the the long-term secret such as the used credentials.
used device and the visited network. The authenti- User location privacy should be supported, that is,
cated logical entities are the USIM and the visited ifpossible,anyuser-specificidentifiersshouldbe
network, represented by the authentication center unreadable for a third party.
(AuC). USIM is supposed to grant network access Note that we do not formulate any requirements
to the device (i.e., also to the user). The USIM on the authentication logic (how many parties
is capable of key derivation after a successful involved and how), used protocols, implementa-
authentication. tion, method placement, or on the used trust rep-
IEEE1 defines
2. 0 8 a handshake procedure resentation. However, authentication methods are
based on credentials existing between the net- generally hard to conceive and represent one of the
work (the access point) and the user. The whole most vulnerable parts of modern cryptosystems.
procedure (i.e., the authentication method, the Duetotheaws fl typicallyfoundintheauthentica-
exchanges, the cryptographic functions and the tion methods during their lifetime, and given the
success conditions) is hardwired in the network number of different authentication methods in 4G,
interfaces. The only authenticated entity is the we additionally require that the authentication
network interface of the user device (i.e., the ac- method be easily updateable.
cess point is not authenticated). The authentication Whatever the actual mechanisms is, it has to
does not derive any key material. Moreover, the correspond to the performance requirements in
procedures are almost useless because of several terms of possible vertical and horizontal mobility.
concept errors. Fast re-authentication (less RTT) and particularly
As can be seen, the provided services are very pre-authentication (over the same or a different
different in terms of capabilities and the achieved interface) seem useful in the 4G context.
security level. However, the purpose of this example
is not to blame WLAN security. Today, other secu-
rity models and methods are available for WLANs
0
Security in 4G
Security in 4G
Security in 4G
base for future 4G security. Basically, such stan- More specifically, in this chapter, we present
dardizationeffortsshouldapplytonew thedefinitions
development process from 1G to 4G discussing
and adapt the existing technologies, so these could telecommunications landscape changes and time
be used in the future 4G landscape. scales. We then introduce the current state of the
In 4G, standardization is one of the central 4G discussion and present our vision of 4G as a
discussions. Not everything can be standard, technology-opportunistic, user-centric mobile
since otherwise we migrate back from the tech- services system built of multi-interface terminals
nology-opportunistic vision to a monolithic one- and heterogeneous ANs, bound by a decent man-
technology-vision. On the other hand, without any agement subsystem. Given that 4G shape, conform
standards, hardly any communication is possible. to the main trend in the current 4G research, we
The compromise between what we standardize in introduce main system interfaces, its links and
the 4G scope and what we leave to the respective entities to discuss its vulnerabilities.
technology is the most critical design decision. We then introduce 4G security requirements,
The standardization should respect the three justifying the special character of and insisting on
introduced interfaces, differentiating user-network, the network access phase. Finally, we propose sev-
provider-provider, and internal SPN interfaces eral high level approaches to 4G security, including
(mainly management plane). virtualization, adaptation and standardization.
Virtualization plays an important role for 4G
standardization. We can learn from the former
experiences that specifying what and how sepa- rEfErEncEs
ratelyismoreexible. fl Toprovideadaptation,we
need at least a common signaling standard. This 3rd Generation Partnership Project (3GGP) TS
represents a seemingly viable alternative approach 33.102 Release 99. (n.d.). GPP:
3 Technicalspecifi -
to the current pure overlay solutions such as All- cation group (TSG), 3G security: Security architec-
IP. We could standardize a common 4G signaling ture. Sophia Antipolis Cedex, France: Author.
protocol,includingvirtualdefinitionsfornetwork
access and data protection phases, and then use the Al-Muhtadi, I., Mickunas, D., & Campbell, R.
access technologies as is, without any additional 0April)
2, ( A. lightweightreconfigurable-secu
changes, as a pure data transport. rity mechanism for 3G/4G mobile devices. IEEE
WirelessCommunications, 9
(2), 60-65.
Bahl, P., Balachandran, A., & Venkatachary, S.
conclusIon (2001, June). Secure wireless Internet access in
public places. In Proceedings of the IEEE Inter-
The4Greflectionsstartedaboutare 1 02 - notnational Conference on Communications (IEEE
yet mature enough to present a sound overview of ICC 2001), Finland.
the 4G security. At the current state, there is no
common 4G vision and what will eventually be Becchetti, L., Priscoli, F. D., Inzerillli, T., Mähönen,
called 4G is an open question. P., & Muñoz, L. (2001, August). Enhancing IP
Independent of that, we believe that the tech- service provision over heterogeneous wireless
nology-opportunistic system as the one presented networks: A path towards 4G. IEEE Communica-
in this chapter will eventually be built. That is the tionsMagazine, 93 74-81.
(8),
reason why the new security problems related to Blake, S., Black, D., Carlson, M., Davies, E., Wang,
the high system heterogeneity and the new usage Z., & Weiss, W. (1998, June). An architecture for
scenarios and presented in this chapter seem to differentiated services (RFC 2475). Retrieved from
be of major importance for the understanding of http://www.ietf.org/rfc/rfc2475.txt
the vulnerabilities and design of future telecom
systems.
Security in 4G
Braden, R., Clark, D., & Shenker, S. (1994, June). access infrastructure for supporting mobile con-
Integrated services in the Internet architecture: An text-aware IPv6 applications. In Proceedings of the
overview (RFC 1633). Retrieved from http://tools. ACM 1st Workshop on Wireless Mobile Internet,
ietf.org/html/rfc1633 Rome, Italy (pp. 11-18).
Bria, A., Gessler, F., Queseth, O., Stridh, R., Ginzboorg, P. (2000, November). Seven comments
Unbehaun, M., & Wu, J. (2001, December). 4th- on charging and billing. Communications of the
generation wireless infrastructures: Scenarios and ACM, 43(11), 89-92.
research challenges. IEEE Personal Communica-
Global System for Mobile Communications (GSM)
tions, 8(6), 25-31.
11.11 (n.d.). Digital cellular telecommunication
Case, J. D., Fedor, M., Schoffstall, M. L., & Davin, J. system(Phasespecification
,) +2 ofthesubscriber
(1990, May). Simple network management protocol identity module—Mobile equipment (SIM-ME)
(SNMP) (RFC 1157). Retrieved from http://www. interface. Author.
ietf.org/rfc/rfc1157.txt
Global System for Mobile Communications (GSM)
Code Division Multiple Access (CDMA) Develop- Association. (n.d.). 3GSM platform. Retrieved from
ment Group. (n.d.). Technology: 3G—cdma2000. http://www.gsmworld.com/technology/3g/index.
Retrieved from http://www.cdg.org/technology/3g. shtml
asp
Gupta, V., & Gupta, S. (2002, March). KSSL:
Dell’Uomo, L., & Scarrone, E. (2001, September). Experiments in wireless Internet security. In
The mobility management and authentication/ Proceedings of the Wireless Communications and
authorization mechanisms in mobile networks Networking Conference (pp. 860-864).
beyond 3G. IEEE Personal, Indoor and Mobile
Hecker, A. (2005, March 16). On logical network
Radio Communications, 1, C44-C48.
access control and the associated user and net-
Dierks, T., & Allen, C. (1999, June). The TLS work management in future heterogeneous 4G
protocol version 1.0 (RFC 2246). Retrieved from wireless systems. Computer Science and Networ-
http://www.ietf.org/rfc/rfc2246.txt ing Department, Ecole Nationale Supérieure des
Télécommunications(ENST),Paris,France.
Durham, D. (Ed.), Boyle, J., Cohen, R., Herzog,
S., Rajan, R. & Sastry, A. (2000, January). The Hecker, A., & Labiod, H. (2004). Pre-authenticated
COPS (common open policy service) protocol signaling in wireless LANs using 802.1X access
(RFC 2748). Retrieved from http://www.rfc-editor. control. In Proceedings of the IEEE GLOBECOM
org/rfc/rfc2748.txt 2004, Dallas, TX.
Emmerich, W. (2000, June). Engineering distrib- IEEE Draft 802.11e. (2003, February). Draft supple-
uted objects. John Wiley & Sons. ment to standard for telecommunications and infor-
mation exchange between systems—LAN/MAN
Evans, B. G., & Baughan, K. (2000, December).
specificrequirements—PartWireless :1 medium
4G visions. IEEE Electronics & Communications
access control (MAC) and physical layer (PHY)
Engineering Journal, 12(6), 293-303.
specifications:Mediumaccesscontrol - (MAC)en
Forsber, D., Ohba, Y., Pati, B., Tschofenig, H., & hancementsforqualityofserviceQoS) ( .Author.
Yegin, A. (2003, March). Protocol for carrying
IEEE Draft 802.11i. (n.d.). Draft supplement to
authentication for network access. IETF PANA
IEEE Std. 1 Part
2. 8 0 : 1Specifications for en -
Working Group Draft, work in progress. Internet
hanced security. Author.
Engineering Task Force.
IEEE Standard 802.11F. (2003, July). Trial-use
Friday, A., Wu, M., Schmid, S., Finney, J., Cheverst,
recommended practice for multi-vendor access
K., & Davies, N. (2001, July). A wireless public
Security in 4G
point interoperability via an inter-access point bile Communication Technologies (pp. 346-350).
protocol across distribution systems supporting
Raychaudhuri, D. (2002, September). 4G network
IEEE 802.11 operation. Author.
architectures: WLAN hot-spots, infostations and
IEEE Standard 802.1X. (2001, June). Port-based beyond... In IEEE PIMRC 2002 Keynote Talk,
network access control. Author. Lisbon, Portugal.
International Telecommunication Union-Radio Rosen, E., Viswanathan, A., & Callon, R. (2001,
Communication Sector (ITU-R) World Radio- January). Multiprotocol label switching architec-
communication Conference, Retrieved from ture (RFC 3031). Retrieved from http://tools.ietf.
http:www.
/ itu.int/ITU-R/index.asp?category=co org/html/rfc3031
nferences&link=wrc&lang=en
Schulzrinne, H., & Wedlund, E. (2000, July). Ap-
Kellerer, W., Vögel, H.-J., & Steinberg, K.-E. (2002, plication-layer mobility using SIP. ACM Mobile
March). A communication gateway for infrastruc- Computing and Communications Review, 4(3),
ture-independent 4G wireless access. IEEE Com- 47-57.
munications Magazine, 40(3), 126-131.
Tsao, S.-L., & Lin, C.-C. (2002, September).
Kent, S., & Atkinson, R. (1998, November). Design and evaluation of UMTS-WLAN inter-
Security architecture for the Internet protocol working strategies. In Proceedings of the IEEE
(RFC 2401). Retrieved from http://www.ietf.org/ 6th
5 Vehicular Technology Conference (VTC),
rfc/rfc2401.txt Vancouver, Canada.
Misra, A., Das, S., Dutta, A., McAuley, A., & Das, Van Damme, E. (2002, May 4-5). The European
S. K. (2002, March). IDMP-based fast handoffs UMTS-auctions. European Economic Review,
and paging in IP-based 4G mobile networks. IEEE 6,846-858.
4
Communications Magazine, 40(3), 138-145.
Varshney, U., & Jain, R. (2001, June). Issues in
Nakhjiri, M., Perkins, C., & Koodli, R. (2004, emerging 4G wireless networks. IEEE Computer,
August). Context transfer protocol. In J. Loughney 34(6), 94-96.
(Ed.), Approved IETF draft, work in progress.
Yahalom, R., Klein, B., & Beth, Th. (1993, May).
Internet Engineering Task Force.
Trust relationships in secure systems—A distrib-
Otsu, T., Okajima, I., Umeda, N., & Yamao, Y. uted authentication perspective. In Proceedings of
(2001, October). Network architecture for mobile the IEEE ComSoc Symposium on Research in Se-
communications systems beyond IMT-2000. curity and Privacy, Oakland, CA (pp. 150-164).
IEEE Personal Communications Magazine, 8(5),
Yumiba, H., Imai, K., & Yabusaki, M. (2001, Oc-
31-37.
tober). IP-based IMT network platform. IEEE Per-
Peirce, M. (2000, October). Multi-party electronic sonal Communications Magazine, 8(5), 18-23.
payments for mobile communications. Unpublished
Zhang, T., & Agrawal, P., & Chen, J.-C. (2001,
PhD thesis, Department of Computer Science,
October). IP-based base stations and soft handoff
University of Dublin, Trinity College.
in all-IP wireless networks. IEEE Personal Com-
Pereira, J. M. (2000, September). Fourth generation: munications Magazine, 8(5), 24-30.
Now, it is personal! In Proceedings of the IEEE
Zhang, J., Li, J., Weinstein, S., & Tu, N. (2002,
International Symposium on Personal, Indoor and
July). Virtual operator based AAA in wireless
Mobile Radio Communications (PIMRC) London
LAN hot spots with ad-hoc networking support.
(Vol. 2, 1009-1016).
ACM Mobile Computing and Communications
Raivio, Y. (2001, March). 4G—Hype or reality Review,6(3), 10-21.
(Conference Publication No. 477). In IEE 3G Mo-
Security in 4G
5
EndnotEs International Mobile Telecommunications
2000, ITU’s common name for different 3G
1
Since users are the main focus of our variants.
6
work, we prefer this term to the synonymic Note that generally these two problems are
not equivalent. However, in our 4G vision we
operator, which refers to the infrastruc-
suppose that SPNs are organized as integrated
ture. transport and services networks run by the
2
This is not limiting since any legal body same authority. In that view, the difference
can have multiple user assignments. between the two is of a very technical nature;
3
This is used consistently to the original it is merely limited to and by the internal SPN
definition given in Zhang et al. (20). organization.
However, since in this special case no in- 7 Although the lower layer address and the
frastructure exists, the actually “operated” user identity are two completely different
entity is the user. This term is thus also identifiers, one initial passive networ
consistent with our strictly user-oriented observation in the proximity of a victim
view. allows an establishment of a direct rela-
4
That underlines the fact that our model mainly tionship.
requires the service contract as a means for
areliableuseridentification.Indeed,without
any pre-established trust, no reliable billing
is possible.
Chapter XIX
Security Architectures for B3G
Mobile Networks
Christoforos Ntantogian
University of Athens, Greece
Christos Xenakis
University of Piraeus, Greece
AbstrAct
The integration of heterogeneous mobile/wireless networks using an IP-based core network materializes
the beyond third generation (B3G) mobile networks. Along with a variety of new perspectives, the new
network model raises new security concerns, mainly, because of the complexity of the deployed archi-
tecture and the heterogeneity of the employed technologies. In this chapter, we examine and analyze the
security architectures and the related security protocols, which are employed in B3G networks focusing
on their functionality and the supported security services. The objectives of these protocols are to protect
the involved parties and the data exchanged among them. To achieve these, they employ mechanisms that
providemutualauthenticationaswellasensuretheconfidentialityandintegrityo
overthewirelessinterfaceandspecificpartsofthecorenetwork.Finally,basedonthe
security mechanisms, we present a comparison of them that aims at highlighting the deployment advan-
tagesofeachoneandclassifiesthelatterinterms ,(2)mobility,
of:(1)security
and(3)reliability.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security Architectures for B3G Mobile Networks
(WLAN-AN), while the second allows a user to Access and the 3GPP IP Access scenarios. The
connect to packet switch (PS) based services (such third section elaborates on the B3G security archi-
as wireless application protocol [WAP], mobile tectures analyzing the related security protocols
multimedia services [MMS], location-based ser- for each scenario. The fourth section compares the
vices [LBS] etc.) or to the public Internet, through security architectures and consequently, the two
the 3G public land mobile network (PLMN). accessscenarios.Finally,thefifthsectioncontain
Along with a variety of new perspectives, the the conclusions.
new network model (3G-WLAN) raises new secu-
rity concerns, mainly, because of the complexity
of the deployed architecture and the heterogeneity bAckground
of the employed technologies. In addition, new
security vulnerabilities are emerging, which might
the b3g network Architecture
be exploited by adversaries to perform malicious
actions that result in fraud attacks, inappropriate
As shown in Figure 1, the B3G network archi-
resource management, and loss of revenue. Thus,
tecture includes three individual networks: (I)
the proper design and a comprehensive evaluation
the WLAN-AN, (II) the visited 3G PLMN, and
of the security mechanisms used in the 3G-WLAN
(III) the home 3G PLMN. Note that Figure 1 il-
network architecture is of vital importance for the
lustrates the architecture for a general case where
effective integration of the different technologies
the WLAN is not directly connected to the user’s
in a secure manner.
home 3G PLMN. The WLAN-AN includes the
In this chapter we examine and analyze the
wireless access points (APs), the network access
security architectures and the related security
servers (NAS), the authentication, authorization,
protocols, which are employed in B3G, focusing
accounting (AAA) proxy (Laat, Gross, Gommans,
on their functionality and the supported security
Vollbrecht, & Spence, 2000), and the WLAN-ac-
services for both WLAN Direct IP Access and
cess gateway (WLAN-AG). The wireless APs
3GPP IP Access scenarios. Each access scenario
provide connectivity to mobile users and act like
(i.e., WLAN Direct Access and WLAN 3GPP IP
AAA clients, which communicate with an AAA
Access)inB3Gnetworksincorporatesaspecific
proxy via the Diameter (Calhoun, Loughney, Gutt-
security architecture, which aims at protecting the
man, Zorn, & Arkko, 2003) or the Radius (Rigney,
involved parties (i.e., the mobile users, the WLAN,
Rubens, Simpson, & Willens, 1997) protocol to
and the 3G network) and the data exchanged
convey user subscription and authentication infor-
among them. We elaborate on the various secu-
mation. The AAA proxy relays AAA information
rity protocols of the B3G security architectures
between the WLAN and the home 3G PLMN. The
that provide mutual authentication (i.e., user and
NAS allows only legitimate users to have access
networkauthentication)aswellasconfidentiality
tothepublicInternet,andfinally,theWLAN-AG
and integrity services to the data transferred over
is a gateway to 3G PLMN networks. It is assumed
the air interface of the deployed WLANs and
that WLAN is based on the IEEE 802.11 standard
specificpartsofthecorenetwork.Finally,based
(IEEE std 802.11, 1999).
on the analysis of the two access scenarios and the
On the other hand, the visited 3G PLMN in-
security architecture that each one employs, we
cludes an AAA proxy that forwards AAA informa-
present a comparison of them. This comparison
tion to the AAA server (located in the home 3G
aims at highlighting the deployment advantages
PLMN), and a wireless access gateway (WAG),
of each scenario and classifying them in terms of:
which is a data gateway that routes users’ data to
(1) security, (2) mobility, and (3) reliability.
the home 3G PLMN. On the other hand, the home
The rest of this chapter is organized as fol-
3G PLMN includes the AAA server, the packed
lows. The next section outlines the B3G network
data gateway (PDG) and the core network elements
architectures and presents the WLAN Direct IP
Security Architectures for B3G Mobile Networks
of the universal mobile telecommunications system public Internet or to an intranet via the WLAN-AN.
(UMTS), such as the home subscriber service (HSS) In this scenario both the user and the network are
or the home location register (HLR), the Gateway authenticated to each other using the extensible
GPRS support node (GGSN) and the Serving GPRS authentication protocol method for GSM sub-
support node (SGSN). The AAA server retrieves scriber identity modules (EAP-SIM) (Haverinen
authentication information from the HSS/HLR and & Saloway, 2006) or the Extensible Authentica-
validates authentication credentials provided by tion Protocol-Authentication and Key Agreement
XVHUV7KH3’*URXWHVXVHUGDWDWUDI¿FEHWZHHQ (EAP-AKA) (Arkko & Haverinen, 2006) protocol.
a user and an external packet data network, which 0RUHRYHULQWKLVVFHQDULRWKHFRQ¿GHQWLDOLW\DQ
is selected based on the 3G PS-services requested integrity of users data transferred over the air inter-
E\WKHXVHU7KHODWWHULGHQWL¿HVWKHVHVHUYLFHVE\ face is ensured by the 802.11i security framework
means of a WLAN-access point name (W-APN), (IEEE std 802.11i, 2004). On the other hand, the
which represents a reference point to the external WLAN 3GPP IP Access scenario allows a WLAN
IP network that supports the PS services to be user to connect to the PS services (like WAP, MMS,
accessed by the user. LBS, etc.) or to the public Internet through the 3G
As mentioned previously, the integrated ar- PLMN. In this scenario, the user is authenticated
FKLWHFWXUHRI%*QHWZRUNVVSHFL¿HVWZRGLIIHUHQW to the 3G PLMN using the EAP-SIM or alterna-
network access scenarios: (1) the WLAN direct IP tively the EAP-AKA protocol encapsulated within
access and (2) the WLAN 3GPP IP Access. The IKEv2 (Kaufman, 2005) messages. The execution
¿UVWVFHQDULRSURYLGHVWRDXVHUFRQQHFWLRQWRWKH of IKEv2 is also used for the establishment of an
299
Access Security in UMTS and IMS
0
Chapter XXII
Security in 2.5G Mobile Systems
Christos Xenakis
University of Piraeus, Greece
AbstrAct
The global system for mobile communications (GSM) is the most popular standard that implements sec-
ond generation (2G) cellular systems. 2G systems combined with general packet radio services (GPRS)
areoftendescribedas2.5G,thatis,atechnologybetweenthe2Gandthirdgeneration(3G)ofmob
systems. GPRS is a service that provides packet radio access for GSM users. This chapter presents the
securityarchitectureemployedin2.5GmobilesystemsfocusingonGPRS.Morespecifically,these
measures applied to protect the mobile users, the radio access network, the fixed part
and the related data of GPRS are presented and analyzed in detail. This analysis reveals the security
weaknesses of the applied measures that may lead to the realization of security attacks by adversaries.
These attacks threaten network operation and data transfer through it, compromising end users and
networksecurity.Todefeattheidentifiedrisks,currentresearchactivitiesontheG
a set of security improvements to the existing GPRS security architecture.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
cn
gi
Auc
ggsn
Pstn H
gc
d Hlr gr gn
g Msc
f EIr gf sgsn gp
E vlr
A gb
bss
bsc
Abis Abis
bts bts
um
Ms
GSN (SGSN) is responsible for the delivery of data gPrs sEcurIty ArcHItEcturE
packets from, and to, an MS within its service area.
Its tasks include packet routing and transfer, mo- In order to meet security objectives, GPRS em-
bility management, logical link management, and ploys a set of security mechanisms that constitutes
authentication and charging functions. A gateway the GPRS security architecture. Most of these
GSN (GGSN) acts as an interface between the mechanisms have been originally designed for
GPRS backbone and an external PDN. It converts GSM, but they have been modified to adapt to
the GPRS packets coming from the SGSN into the packet-oriented traffic nature and the GPRS
the appropriate packet data protocol (PDP) format network components. The GPRS security archi-
(e.g., IP), and forwards them to the corresponding tecture, mainly, aims at two goals: (1) to protect
PDN. Similar is the functionality of GGSN in the the network against unauthorized access, and (2)
opposite direction. The communication between to protect the privacy of users. It includes the fol-
GSNs (i.e., SGSN and GGSN) is based on IP tunnels lowing components (GSM 03.20, 1999):
through the use of the GPRS tunneling protocol
(GTP) (3GPP TS 09.60, 2002). • Subscriber identity module (SIM)
• Subscriberidentityconfidentiality
• Subscriber identity authentication
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
MSK of EAP-SIM or
GMK
EAP-AKA
prf
prf
PTK
bits
user’s address, the AP’s address, the Snonce Information Element (RSN IE) payload,
value, and the Anonce value, as follows: which denotes the set of authentication and
cipher algorithms that the user supports, and
PTK=prf (MSK, “Pairwise key expansion”, Min(AP a message integrity code (MIC), which is a
address, user’s address) | Max(AP address, cryptographic digest used to provide integ-
user’s address) | Min(Anonce , Snonce) | Max(Anonce rity services to the messages of the four-way
, Snonce)), handshake and it is computed as follows:
(7)
MIC= HASHKCK (EAPOL-Key message), (8)
where prf is a pseudo random function, “Pair-
wise key expansion” is a set of characters, and, where HASHKCK denotes a hash function (i.e.,
finally, the Min and Max functions provide the or HMAC-SHA-128) that uses the
HMAC-MD5
minimum and maximum value, respectively, be- KCK key to generate the cryptographic hash value
tween two inputs. In the sequel, the generated PTK over the second EAPOL-Key message.
key is partitioned to derive three other keys: (1) a • Upon receiving this message, the AP calcu-
82-bits
1 keyconfirmationkey ( that provides
KCK) lates the key PTK and the related keys (i.e.,
integrity services to EAPOL-Key messages, (2) a KCK, KEK, and TK keys), (the same with the
128-bits key encryption key (KEK) used to encrypt user),and,then,verifiestheintegrityofthe
the GTK key as described next, and, (3) a 128-bits message (producing the MIC value). Next,
temporal key (TK) used for user’s data encryption it generates the 128-bits GTK key from the
(see Figure 4). GMK key as follows:
• After the calculation of these keys, the user
forwards to the AP the second EAPOL-Key GTK=prf(GMK, “Group key expansion”| AP ad-
message (step 2-Figure 5) that includes the dress| Gnonce), (9)
Snonce, the user’s Robust Security Network
0
Security Architectures for B3G Mobile Networks
where Gnonce is a random number generated user decrypts the GTK key using the KEK key
from the AP to derive the GTK key and sends to the AP the last message of the
• In the sequel, the AP replies to the user by four-way handshake (step 4), which includes
sending the third EAPOL-Key message (step an MIC payload over the fourth EAPOL-Key
3), which includes the Anonce value (the same message, to acknowledge to the AP that he/she
withthefirstEAPOL-Keymessage)an , MIC has installed the PTK key and the related keys
over the third EAPOL-Key message, the AP’s (i.e., KEK, KCK, and TK keys), as well as the
RSN IE, and the GTK key, which is used to GTK key.
protect the broadcast/multicast messages and • Once the AP receives the fourth EAPOL-Key
it is conveyed encrypted using the KEK key, message,itverifiestheMICaspreviously.If
as follows: this final check is successful, the four-way
handshake is completed successfully, and
Encrypted GTK= ENCKEK (GTK), (10) both the user and the AP share: (1) the TK
key to encrypt/decrypt unicast messages,
where ENCKEK denotes the encryption al- and (2) the GTK key to encrypt/decrypt
gorithm (i.e., AES or RC4), which uses the broadcast/multicast messages.
KEK key to encrypt the GTK key.
• By receiving this message, the user checks In case that the AP wants to provide a new GTK
whether the MIC is valid and compares his/ key to the connected users, it executes the group
her RSN IE with the AP’s RSN IE ensuring key handshake, as shown in Figure 5.
that they support the same cryptographic
algorithms. If all these checks are correct, the
Figure5.Thefour-wayandgroupkeyhandshakesof1i
802.
0
Security Architectures for B3G Mobile Networks
Figure6.TheCCMPprotocol
• TheAPfirstgeneratesaGTK fresh
key from CCMP Protocol. 802.11i incorporates the CCMP
the GMK key and sends an EAPOL-Key protocol to provide confidentiality and integr
message that includes an MIC value and the services to users’ data conveyed over the radio
new GTK key to the users. Note that MIC is interface of WLANs. The CCMP protocol com-
computed over the body of this EAPOL-Key bines the AES encryption algorithm in CounTeR
message using the KCK key, and the GTK modeCTR-( AES)toprovidedataconfidentiality
key is conveyed encrypted using the KEK and the Cipher Block Chaining Message Authen-
key. Recall that both the user and the AP tication Code (CBC-MAC) protocol to compute
share the KEK and KCK keys, which were an MIC over the transmitted user’s data that
generated in the four-way handshake. provides message integrity (Whiting, Housley, &
• Upon receiving the previous message, the user Ferguson, 2003).
employs the KCK key to verify whether the The operation of the CCMP protocol can be
MIC is valid and then, he/she decrypts the divided into three distinct phases. In phase 1, the
GTK key using the KEK key. Finally, he/she CCMP protocol constructs an additional authen-
replies to the AP with an EAPOL-Key mes- tication data AAD) ( value from constant fields
sage, which includes an MIC that acknowl- of the 802.11 frame header (IEEE std 802.11,
edges to the AP that he/she has installed the 1999). In addition, it creates a nonce value from
GTK key. the priority field of the1 frame 2. 0 8 header and
• OncetheAPreceivesthismessage,itfrom verifies
the packet number (PN) parameter, which
theMIC.Ifthisfinalverificationissuccessful, is a 48-bit counter incremented for each 802.11i
then, the group key handshake is completed protected frame. In phase 2, the CCMP protocol
successfully and the user can encrypt broad- computes an MIC value over the 802.11 frame
cast/multicast messages using the new GTK header, the AAD, the nonce, and the 802.11 frame
key. payload using the CBC-MAC algorithm and the
TK key (or the GTK key for broadcast/mulitcast
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
0
Security Architectures for B3G Mobile Networks
Figure9.TheexecutionofIKEv2basedonEAP-SIMorEAP-AKA
0
Security Architectures for B3G Mobile Networks
text of WLAN 3GPP IP Access scenario, the user that he/she supports, the KEi that is the Dif-
and the PDG execute IKEv2. The authentication fie-Hellmanvalue,andanNivalue - thatrep
of the user is based on EAP-SIM or EAP-AKA, resents the nonce. The nonce (i.e., a random
while the authentication of the PDG is based on number at least 128 bits) is used as input to
certificates. the cryptographic functions employed by
The IKEv2 protocol is executed in two sequen- IKEv2 to ensure liveliness of the keying
tial phases (i.e., phase 1 and phase 2). In phase 1, material and protect against replay attacks.
the user and the PDG establish two distinct SAs: • The PDG answers with a message that con-
(1) a bidirectional IKE_SA that protects the mes- tains its choice from the set of cryptographic
sages of phase 2, and (2) an one-way IPsec_SA algorithms for the IKE SA (SAr1), its value to
that protects user’s data. During phase 2, the completetheDiffie-Hellmanexchange(KEr)
user and the PDG using the established IKE_SA and its nonce (Nr). At this point, both the user
can securely negotiate a second IPsec_SA that is and the PDG can calculate the SKEYSEED
employed for the establishment of a bidirectional value as follows:
IPsec based VPN tunnel between them.
SKEYSEED = prf (( Ni |Nr ), g ^ ir ) ,
4
The IKEv2 phase 1 negotiation between the (11)
user and the PDG is executed in two sub-phases:
(1) the IKE_SA_INIT, and (2) the IKE_AUTH where prf is the pseudo random function
exchange, as shown in Figure 9. The IKE_SA_INIT negotiated in the previous messages, and g^ir
exchange (noted as step 1 in Figure 9) consists of a is the shared secret key that derives from the
single request and reply messages, which negoti- Diffie-Hellmanexchange.TheSKEYSEED
ate cryptographic algorithms, exchange nonces, value is used to calculate various secret keys.
anddoaDiffie-Hellmanexchange.Inthecontext The most important are: the SK_d used for
of this sub-phase, four cryptographic algorithms providing the keying material for the IPsec
are negotiated: (1) an encryption algorithm, (2) an SA; SK_ei and SK_ai used for encrypting
integrityprotectionalgorithm,a ) 3 ( Diffie-Hellman
and providing integrity services, respectively,
group, and (4) a prf. The latter prf is employed for to the IKEv2 messages from the user to the
the construction of keying material for all of the PDG (IKE_SA); and, finally, SK_er and
cryptographic algorithms used. After the execution SK_ar that provide security services in the
of the IKE_SA_INIT, an IKE_SA is established opposite direction (IKE_SA).
that protects the IKE_AUTH exchange. The sec-
ond sub-phase (i.e., IKE_AUTH) authenticates Finalizing the IKE_SA_INIT exchange, the
the previous messages; exchanges identities and IKE_AUTH exchange can start. It is worth not-
certificates;encapsulatesEAP-SIMoralternatively ing that from this point all the payloads of the
EAP-AKA messages; and establishes an IPsec_SA following IKEv2 messages, excluding the mes-
(step 2-5 in Figure 9). All the messages of IKEv2 sage header (HDR payload), are encrypted and
include a header payload (HDR), which contains a integrity protected using the IKE_SA (see step 2
security parameter index (SPI), a version number, in Figure 9).
andsecurity-relatedags. fl TheSPIisa-valuecho
sen by the user and the PDG to identify a unique • The IKE_AUTH exchange of messages starts
SA. In the following, the IKEv2 negotiation is when the user sends to the PDG a message
analyzed: that includes his/her identity (IDi), which
could be in an NAI format, the CERTREQ
• At the beginning of the IKEv2 negotiation payload (optionally), which is a list of the
(step 1 in Figure 9), the user sends to the certificateauthoritiesCA) ( whosepublickeys
PDG the SAi1, which denotes the set of theusertrusts,andthetrafficselectors(TS
cryptographic algorithms for the IKE_SA and TSr), which allow the peers to identify
Security Architectures for B3G Mobile Networks
the packet ows fl that require processing by the PDG. Similarly to the previous
thenticate
IPsec. In addition, in the same message the messages, the payload of this IKEv2 message,
usermustincludetheConfigurationPayload except for the message header, is encrypted
Request (CP-Request), which is used to obtain using the IKE_SA.
a remote IP address from the PDG and get • Upon receiving the EAP-AKA (SIM) pay-
access to the 3G-PLMN. load, the user verifies the AUTHr field by
• After receiving this information, the PDG using the public key of the PDG included in
forwards to the AAA server the user identity thecertificatefieldCERT) ( and
, answersby
(IDi) including a parameter, which indicates sending an EAP-AKA (SIM) response mes-
that the authentication is being performed sage encapsulated again within an IKEv2
for VPN (tunnel) establishment. This will message. From this point, the IKEv2 messages
facilitate the AAA server to distinguish contain only EAP-AKA (SIM) payloads,
between authentications for WLAN access which are encrypted and integrity protected
and authentications for VPN setup. as described previously.
• Upon receiving the IDi, the AAA server • The EAP-SIM or EAP-AKA exchange con-
fetchestheuser’sprofileandauthentication tinues, normally, until an EAP-SUCCESS
credentials (GSM triplets if authentication is message (or an EAP-FAILURE in case of
based on EAP-SIM, or 3G authentication vec- a failure) is sent from the AAA server to
tors if authentication is based on EAP-AKA) the PDG, which ends the EAP-AKA or the
from HSS/HLR (if these are not available in EAP-SIM dialogue. Together with the EAP-
the AAA server in advance). SUCCESS message, the key MSK is sent from
• Basedontheuser’sprofile,theAAAserver the AAA server to the PDG via the AAA
initiates an EAP-AKA (if the user possesses protocol, as shown in Figure 9 (step 4).
a USIM card) or an EAP-SIM authentication • AfterfinishingtheEAP-AKAorEAP-SIM
(if the user possesses a GSM/GPRS SIM dialogue, the last step (step 5) of IKEv2 re-
card) by sending to the PDG the first - mesauthenticates the peers, in order to establish
sage of the related procedure (i.e., EAP-SIM an IPsec_SA. This authentication step is
or EAP-AKA) included in a AAA protocol necessary in order defeat man-in-the-middle
(i.e., Radius or Diameter) (step 3 in Figure attacks, which might take place because the
9). Note that since there is no functional authentication protocol (e.g., EAP-SIM or
difference between the EAP-SIM and the EAP-AKA) runs inside the secure protocol
EAP-AKA authentication when these proto- (e.g., IKEv2). This combination creates a
cols are encapsulated in IKEv2, we present security hole since the initiator and the re-
them in a generic way. Thus, we introduce sponder have no way to verify that their peer
the EAP-AKA (SIM) payload notation (see in the authentication procedure is the entity at
Figure 9) to indicate that this payload can be the other end of the outer protocol (Asokan,
an EAP-SIM or an EAP-AKA message. Niemi, & Nyberg, 2002). Thus, in order to
• Upon receiving the first EAP-AKA SIM) ( prevent possible attacks against IKEv2 (i.e.,
message, the PDG encapsulate it within an man-in-the-middle attacks), both the user and
IKEv2 message and forwards the encap- the PDG have to calculate the AUTHi and the
sulated message to the user. Except for the AUTHr payloads, respectively, using the MSK
EAP-AKA (SIM) payload, this message also key that was generated from the EAP-SIM
includesthePDG’sidentity,whichidentifies or EAP-AKA protocol. Then, both the user
the provided 3G services (W-APN) (see the and the PDG send each other the AUTHi and
Background section), the PDG’s certificate AUTHr payloads to achieve a security bind-
CERT)
( , and the AUTHr field. The latter ing between the inner protocol (EAP-SIM or
contains signed data used by the user to au- EAP-AKA) and the outer protocol (IKEv2).
Security Architectures for B3G Mobile Networks
Note that the PDG together with the AUTHr established between these two nodes. This pair
payloadsendsalsoitstrafficselector deployspayloads
a bidirectional VPN between them that
(TSi and TSr), the SAr2 payload, which con- allows for secure data exchange over the underlying
tains the chosen cryptographic suit for the network path. At the same time, the user has been
IPsec_SA and the assigned user’s remote IP subscribed to the 3G PLMN network for charging
addressintheConfigurationPayload Replypurposes using either the EAP-AKA
and billing
(CP-REPLY) payload. or EAP-SIM protocol.
After the establishment of the IPsec_SA the The deployed VPN runs on top of the wireless
keying material (KEYMAT) for this SA is link and extends from the user’s computer to the
calculated as follows: PDG, which is located in the user’s home 3G PLMN
(see Figure 1 and 10). It is based on IPsec (Kent &
KEYMAT = prf ( SK _ d , Ni| Nr ), (12) Atkinson, 1998a), which is a developing standard
for providing security at the network layer. IPsec
where Ni and Nr are the nonces from the provides two choices of security service through
IKE_SA_INIT exchange, and SK_d is the two distinct security protocols: the Authentication
key that is calculated from the SKEYSEED Header (AH) protocol (Kent & Atkinson, 1998c),
value (see eq. 11). The KEYMAT is used to and the encapsulating security payload (ESP) pro-
extract the keys that the IPsec protocol uses tocol (Kent & Atkinson, 1998b). The AH protocol
for security purposes. Note that the deployed provides support for connectionless integrity,
IPsec_SA protects the one-way communica- data origin authentication, and protection against
tion between the user and the PDG. For bi- replays, but it does not support confidentialit
directional secure communication, one more The ESP protocol supports confidentiality, - con
SA needs to be established between them (the nectionless integrity, anti-replay protection, and
user and the PDG) by executing the IKEv2 optional data origin authentication. Both AH and
phase 2 over the established IKE_SA. ESP support two modes of operation: transport and
tunnel. The transport mode of operation provides
Data Protection end-to-end protection between the communicating
end points by encrypting the IP packet payload.
After the completion of the authentication pro- The tunnel mode encrypts the entire IP packet
cedure and the execution of IKEv2 between the (both IP header and payload) and encapsulates
PDG and the user, a pair of IPsec_SAs has been the encrypted original IP packet in the payload of
a new IP packet.
Security Architectures for B3G Mobile Networks
In the deployed VPN of the WLAN 3GPP IP tioned protocols (i.e., EAP-SIM and EAP-AKA)
Access scenario, IPsec employs the ESP protocol withIKEv2Specifically,
. thePDGisauthenticated
and is configured to operate in the tunnel usingits mode. certificate,andtheuserisauthentic
Thus,VPNprovidesconfidentiality,integrity, data or EAP-AKA. It is worth noting
using EAP-SIM
origin authentication, and anti-reply protection that since the EAP-SIM and EAP-AKA messages
services protecting the payload and the header are encapsulated in protected IKEv2 messages,
of the exchanged IP packets. From the two IP theidentifiedsecurityweaknessesassociatedw
addresses (i.e., transport and remote IP address) them are eliminated.
of each authenticated user, the remote IP address Regarding confidentiality and data integrit
serves as the inner IP address, which is protected services, both scenarios protect sensitive data
by IPsec, and the transport IP address serves as the conveyed over the air interface.-More specifi
IP address of the new packets, which encapsulate cally, in the WLAN Direct IP Access scenario,
the original IP packets and carry them between high level security services are provided only in
the user and the PDG (see Figure 10). Thus, an cases that the CCMP security protocol is applied,
adversary can not disclose, fabricate unnoticed, since it incorporates the strong AES encryption
orperformtrafficanalysistothedata exchanged
algorithm. A downside of applying CCMP is that
between the user and the PDG. Finally, IPsec can it requires hardware changes to the wireless APs,
use different cryptographic algorithms (i.e., DES, which might be replaced. In the WLAN 3GPP
3DES, AES, etc.) depending on the level of security IP Access scenario, data encryption is applied
required by the two peers and the data that they at the layer 2 (using WEP, TKIP, or CCMP) and
exchange. layer 3 (using IPsec), simultaneously (see Figure
10). This duplicate encryption provides advanced
security services to the data conveyed over the
coMPArIson of tHE scEnArIos WLAN radio interface, but at the same time it may
cause bandwidth consumption, longer delays, and
Based on the presentation of the two access sce- energy consumption issues at the level of mobile
narios (i.e., WLAN Direct IP Access and 3GPP devices.
IP Access) that integrate B3G networks and the Another deployment feature, which can be used
analysis of the security measures that each one for comparing the two scenarios, has to do with
employs, this section provides a brief comparison mobility. The WLAN Direct IP Access scenario
of them. The comparison aims at highlighting the may support user mobility by employing one of the
deployment advantages of each scenario and clas- mobility protocols, proposed for seamless mobility
sifies them in terms of:) security,
1( ) mobility,
2( in wireless networks (Saha, Mukherjee, Misra,
and (3) reliability. & Chakraborty, 2004). On the other hand, in the
Regarding the provided security services, both WLAN 3GPP IP Access scenario, the established
scenarios support mutual authentication. In the VPN between a user and the PDG adds an extra layer
WLAN Direct IP Access scenario, the authen- of complexity to the associated mobility manage-
tication procedure employs either EAP-SIM or ment protocols of this scenario. This complexity
EAP-AKA, depending on the user’s subscription. arises from the fact that as the mobile user moves
However, both protocols present the same security from one access network to another and his/her
weaknesses, which can be exploited by adversaries IP address changes, the mobility protocols must
toperformseveralattackssuchasidentity incorporatespoofing,
mechanisms that maintain, dynami-
denial of service (DoS) attacks, replay attacks, and cally, the established VPN, enabling the notion of
so forth (Arkko & Haverinen, 2006; Haverinen & mobile VPN. An attempt to address this problem
Saloway, 2006). On the other hand, the authenti- can be found in Dutta et al., 2004) that designs
cation procedure of the 3GPP IP Access scenario and implements a secure universal mobility ar-
is more secured, since it combines the aforemen- chitecture, which incorporates standard mobility
Security Architectures for B3G Mobile Networks
management protocols, such as mobile IP for tiality and integrity services to the data exchanged
achieving mobile VPN deployment. between them.
Finally, the deployed IPsec-based VPNs be-
tween the users and the PDG in the 3GPP IP Access
scenario may raise reliability issues. Reliability AcknowlEdgMEnt
is perceived as the ability to use VPN services at
all times, and it is highly related to the network Work supported by the project CASCADAS
connectivity and the capacity of the underlying (IST-027807) funded by the FET Program of the
technology to provide VPN services. In the 3GPP European Commission.
IPAccessscenario,alldatatrafficpassesthrough
the VPN tunnels that are extend from the users to
the PDG. The number of the deployed VPNs can rEfErEncEs
growsignificantly,duetothefactthateachusercan
establish multiple VPNs at the same time to access 3rd Generation Partnership Project (3GPP) TS
different services. Thus, the PDG must be able to 22.100. (v3.7.0). (2001). UMTS Phase 1 Release
support a large number of simultaneous VPNs in ’9.9 Sophia Antipolis Cedex, France: Author.
order to provide reliable security services.
3rd Generation Partnership Project (3GPP) TS 0.3.6.
(V7.9.0). (2002). GPRS service description, Stage
conclusIon 2. Sophia Antipolis Cedex, France: Author.
3rd Generation Partnership Project (3GPP) TS
This chapter has analyzed the security architectures 23.234 (v7.3.0). (2006). 3GPP system to WLAN
employed in the interworking model that integrates interworking. System description. Release 7. So-
3G and WLANs, materializing B3G networks. The phia Antipolis Cedex, France: Author.
integratedarchitectureofB3Gnetworksspecifies
two different network access scenarios: (1) the 3rd Generation Partnership Project (3GPP) TS
WLAN Direct IP Access, and (2) the WLAN 3GPP 33.234 (v7.2.0). (2006). 3G security and WLAN
IP Access. The first scenario provides to interworking
a user security. System description. Release
connection to the public Internet or to an intranet 7. Sophia Antipolis Cedex, France: Author.
via the WLAN-AN. In this scenario both the user Aboba, B., & Beadles, M. (1999). The network
and the network are authenticated to each other access identifier (RFC 2486). Retrieved from
using EAP-SIM or EAP-AKA, depending on the http://tools.ietf.org/html/rfc2486
user’ssubscription.Moreover,theconfidentiality
and integrity of the user’s data transferred over the Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J.,
air interface are ensured by the 802.11i security & Levkowetz, H. (2004). The extensible authen-
framework. On the other hand, the WLAN 3GPP tication protocol (RFC 3748). Retrieved from
IP Access scenario allows a user to connect to http://www.ietf.org/rfc/rfc3748.txt
the PS services (like WAP, MMS, LBS, etc.) or
Arkko, J., & Haverinen, H. (2006). EAP-AKA
to the public Internet through the 3G PLMN. In
authentication (RFC 4187). Retrieved from http://
this scenario, the user is authenticated to the 3G
www.rfc-editor.org/rfc/rfc4187.txt
PLMN using EAP-SIM or alternatively EAP-AKA
encapsulated within IKEv2, while the network is Asokan, N., Niemi, V., & Nyberg, K. (2002). Man-
authenticated to the user using its certificate.
in-the-middle In authentication protocols.
in tunneled
addition, the execution of IKEv2 is used for the Cryptology ePrint Archive, Report 2002/163. Re-
establishment of an IPsec-based VPN between the trieved from http://eprint.iacr.org/2002/163
userandthenetworkthatprovides - extraconfiden
Security Architectures for B3G Mobile Networks
Borisov, N., Goldberg, I., & Wagner, D. (2001, Kaufman, C. (2005). The Internet key exchange
July). Intercepting mobile communications: The (IKEv2) protocol (RFC 4306). Retrieved from
insecurity of 802.11. Paper presented at the 7th http://www.rfc-editor.org/rfc/rfc4306.txt
ACM/IEEE International Conference on Mobile
Kent, S., & Atkinson, R. (1998a). Security archi-
Computing and Networking (MOBICOM), Rome,
tecture for Internet protocol (RFC 2401). Retrieved
Italy.
from http://www.faqs.org/rfcs/rfc2401.html
Calhoun, P., Loughney, J., Guttman, E., Zorn,
Kent, S., & Atkinson, R. (1998b). IP encapsulating
G., & Arkko, J. (2003). Diameter base protocol
security payload (ESP) (RFC 2406). Retrieved
(RFC 3588). Retrieved from http://www.rfc-editor.
from http://www.faqs.org/rfcs/rfc2406.html
org/rfc/rfc3588.txt
Kent, S., & Atkinson, R. (1998c). IP authentication
Dutta, A., Zhang, T., Madhani, S., Taniuchi, K.,
header (RFC 2402). Retrieved from http://www.
Fujimoto, K., Katsube, Y., et al. (2004, October).
rfc-editor.org/rfc/rfc2402.txt
Secure universal mobility for wireless Internet. In
Proceedings of the 2nd ACM international work- Kivinen, T., & Tschofenig, H. (2006). Design of
shop on Wireless mobile applications and services the Mobike protocol (RFC 4621). Retrieved from
on WLAN hotspots (WMASH), Philadelphia, PA. http://www.ietf.org/rfc/rfc4621.txt
Eastlake, D., & Jones, P. (2001). US secure hash Krawczyk, H., Bellare, M., & Canetti, R. (1997).
algorithm 1 (SHA1) (RFC 3174). Retrieved from HMAC: Keyed-hashing for message authentica-
http://www.ietf.org/rfc/rfc3174.txt tion (RFC 2104). Retrieved from http://www.faqs.
org/rfcs/rfc2104.html
Eronen, P. (2006). IKEv2 mobility and multihoming
protocol (MOBIKE) (RFC 4555). Retrieved from Laat, C., Gross, G., Gommans, L., Vollbrecht, J.,
http://www.ietf.org/rfc/rfc4555.txt & Spence, D. (2000). Generic AAA architecture
(RFC 2903). Retrieved from http://isc.faqs.org/
European Telecommunications Standards Institute
rfcs/rfc2903.html
(ETSI) TS 100 922 (v7.1.1). (1999). Subscriber iden-
tity modules (SIM) functional characteristics. Rigney, C., Rubens, A., Simpson, W., & Willens, S.
(1997). Remote authentication dial in user services
Harkins, D., & Carrel, D. (1998). The Internet
(RADIUS) (RFC 2138). Retrieved from http://tools.
key exchange (IKE) (RFC 2409). Retrieved from
ietf.org/html/rfc2138
http://faqs.org/rfcs/rfc2409.html
Saha, D., Mukherjee, A., Misra, I. S., &
Haverinen, H., & Saloway, J. (2006). EAP-SIM
Chakraborty, M. (2004). Mobility support in IP:
authentication (RFC 4186). Retrieved from http://
A survey of related protocols. IEEE Network,
www.ietf.org/rfc/rfc4186.txt
18(6), 34-40.
IEEE std 802.11 (1999). Wireless LAN medium
Whiting, D., Housley, R., & Ferguson, N. (2003).
access control (MAC) and physical layer (PHY)
Counter with CBC MAC (CCM) (RFC 3610). Re-
specifications.
trieved from http://www.ietf.org/rfc/rfc3610.txt
IEEE std 802.11i. (2004). Wireless medium access
Xenakis, C., & Merakos, L. (2004). Security in
controlMAC) ( andphysicallayer(PHY)specifi -
third generation mobile networks. Computer Com-
cations: Medium access control (MAC) security
munications, 27(7), 638-650.
enhancements.
IEEE std 802.1X. (2004). Port based access
control.
Security Architectures for B3G Mobile Networks
Chapter XX
Security in UMTS 3G Mobile
Networks
Christos Xenakis
University of Piraeus, Greece
AbstrAct
This chapter analyzes the security architecture designed for the protection of the universal mobile tele-
communication system (UMTS). This architecture is built on the security principles of second genera-
tion (2G) systems with improvements and enhancements in certain points in order to provide advanced
security services. The main objective of the third generation (3G) security architecture is to ensure that
all information generated by or relating to a user, as well as the resources and services provided by
the serving network and the home environment are adequately protected against misuse or misappro-
priation. Based on the carried analysis the critical points of the 3G security architecture, which might
causenetworkandservicevulnerabilityareidentified.Inaddition,thecurrentres
security and the proposed enhancements that aim at improving the UMTS security architecture are
brieflypresentedandanalyzed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in UMTS 3G Mobile Networks
mobility implies higher security risks compared to serving network (SN) and the home environment
thoseencounteredinfixednetworks.The advanced
(HE) are adequately protected against misuse or
wireless and wired network infrastructure, which misappropriation. Based on the carried analysis the
supports higher access rates, and the complex critical points of the 3G security architecture, which
network topologies, which enable “anywhere- might cause network and service vulnerability are
anytime” connectivity, may increase the number identified.Inaddition,thecurrentresearchont
and the ferocity of potential attacks. Furthermore, UMTS security and the proposed enhancements
the potential intruders are able to launch malicious that aim at improving the UMTS security archi-
attacks from mobile devices with enhanced pro- tecturearebrieflypresentedandanalyzed.
cessing capabilities, which are difficult to
The trace.
rest of this chapter is organized as follows.
To defeat the possible vulnerable points, UMTS The next section outlines the UMTS network ar-
has incorporated a specific security architecture chitecture and the 3G security architecture. The
named as 3G security architecture. third section elaborates on the network access
This chapter analyzes the security architecture security features, and the fourth section examines
designed for the protection of UMTS. This archi- the network domain security. The fifth section
tecture is built on the security principles of second presents the user domain security, the application
generation (2G) systems with improvements and domain security, the visibility of security op-
enhancements in certain points in order to provide erationandconfigurability,andthenetwork-wide
advanced security services. The main objective of confidentialityoption.Thesixthsectionanalyze
the 3G security architecture is to ensure that all potential weaknesses concerning the 3G security
information generated by or relating to a user, as architecture and the seventh section presents the
well as the resources and services provided by the current research on the UMTS security. Finally,
the last section contains the conclusions.
Security in UMTS 3G Mobile Networks
0
Security in UMTS 3G Mobile Networks
Network access security is a key component in Authentication and key agreement mechanism
the 3G security architecture. This class deals achieves mutual authentication between the mobile
with the set of security mechanisms that provide user and the SN showing knowledge of a secret
users with secure access to 3G services, as well key (K), as well derives ciphering and integrity
as protect against attacks on the radio interface. keys. The authentication method is composed of
Suchmechanismsinclude:user )1( identity
- confi
a challenge/response protocol (see Figure 3) and
dentiality, (2) authentication and key agreement, (3) was chosen in such a way as to achieve maximum
dataconfidentiality,andintegrity )4 ( protection of the GSM/GPRS security archi-
compatibility with
signaling messages. Network access security takes tecture facilitating the migration from GSM/GPRS
place independently in each service domain. to UMTS. Furthermore, the user service identity
module (USIM) (3GPP TS 22.100, 2001) and the HE
User Identity Confidentiality keeptrackofcounters MS
and SQN HE, respec-
SQN
tively, to support the network authentication. The
Useridentityconfidentialityallows - sequence
theidentifica numberHESQN is an individual counter
tion of a user on the radio access link by means for each user, while the
MS
SQN the high-
denotes
of a temporary mobile subscriber identity (TMSI). est sequence number that the USIM has accepted.
Thisimpliesthatconfidentialityofthe Whenever
useridentitythe SQN HE
is not in the correct range,
is protected almost always against passive eaves- the mobile station decides that a synchronization
droppers. Initial registration is an exceptional case failure has occurred in the HE and consequently
where a temporary identity cannot be used, since initiates a resynchronization to the HE.
the network does not yet know the permanent Upon receipt of a request from the VLR/SGSN,
identity of the user. the HE authentication center (HE/AuC) forwards
The allocated temporary identity is transferred an ordered array of authentication vectors (AV)
to the user once the encryption is turned on. A to the VLR/SGSN. Each AV, which is used in
TMSI in the circuit switched (CS) domain or P- the authentication and key agreement procedure
Security in UMTS 3G Mobile Networks
Generate RAND
SQ N
RAND
AMF
f1 f2 f3 f4 f5
MAC XRES CK IK AK
between the VLR/SGSN and the USIM consists of • The Message Authentication Code (MAC)
a random number (RAND), an expected response = f1k (SQN ||1 RAND || AMF), where f1 is
(XRES), a cipher key (CK), an integrity key (IK), a message authentication function and the
and an authentication token (AUTN). authentication and key management field
Figure 4 shows an AV generation by the HE/ AMF)
( isusedtofinetunetheperformance
AuC. The HE/AuC starts with generating a fresh or bring a mew authentication key stored in
sequencenumberSQN) ( which
, provestotheuser the USIM into use.
that the generated AV has not been used before and • The expected response XRES = f2k (RAND)
an unpredictable challenge RAND. Then, using where f2 is a (possibly truncated) message
the secret key (K) it computes: authentication function.
• The cipher key CK = f3k (RAND),
Security in UMTS 3G Mobile Networks
CK f8 CK f8
KEYSTREAM KEYSTREAM
BLOCK BLOCK
Sender Receiver
UE or RNC RNC or UE
Security in UMTS 3G Mobile Networks
RNC on the network side. The f8 is a symmetric that MACs for two frames with identical content
synchronous stream cipher algorithm that is used are different, are a 32-bit value COUNT, a 32-bit
to encrypt frames of variable length. The main value FRESH, and an 1-bit value DIRECTION.
input to the f8 is a 128-bit secret cipher key CK. In the UMTS R99, the f9 is based on the Kasumi
Additional inputs, which are used to ensure that two algorithm (3GPP TR 33.908, 2000).
frames are encrypted using different keystreams
are a 32-bit value COUNT, a 5-bit value BEARER,
and a 1-bit value DIRECTION (see Figure 5). The nEtwork doMAIn sEcurIty
output is a sequence of bits (the “keystream”) of the
same length as the frame. The frame is encrypted Network domain security (NDS) features ensure
by XORing the data with the keystream. For UMTS that signaling exchanges within the UMTS core
R99, f8 is based on the Kasumi algorithm (3GPP as well as in the whole wireline network are pro-
TR 33.908, 2000). tected. Various protocols and interfaces are used
for the control plane signaling inside, and between
Integrity Protection of signaling core networks, such as the mobile application
Messages part (MAP) and the GPRS tunneling protocol
(GTP) protocols, and the Iu (IuPS, IuCS) and Iur
The radio interface in 3G mobile systems has also interfaces (3GPP TS 23.002, 2002). These will be
been designed to support integrity protection on protected by standard procedures based on the
the signaling channels. This enables the receiv- existingcryptographictechniques.Specifically,the
ing entity to be able to verify that the signaling IP-based protocols shall be protected at network
data have not been modified in an unauthorized level by means of IP security (IPsec) (Kent & At-
way since they were sent. Furthermore, it ensures kinson, 1998), while the realization of protection
that the origin of the received signaling data is for the signaling system 7 (SS7)-based protocols
indeed the one claimed. The integrity protection and the lu and Iur interfaces shall be accomplished
mechanism is not applied for the user plane due at the application layer. In the following, the NDS
to performance reasons. context for IP-based (3GPP TS 33.210, 2002) and
The function (f9) is used to authenticate the SS7-based (3GPP TS 33.200, 2002) protocols is
integrity and the origin of signaling data between presented. Moreover, the employment of tradi-
the MS and the RNC in UMTS. It computes a tional security technologies, originally designed
32-bit MAC (see Figure 6), which is appended forfixednetworking,suchasfirewallsandstatic
to the frame and is checked by the receiver. The virtual private networks (VPNs) are examined.
main inputs to the algorithm are a 128-bit secret The application of these technologies safeguards
IK and the variable-length frame content MES- the UMTS core network from external attacks and
SAGE. Additional inputs, which are used to ensure protects users’ data when are conveyed over the
public Internet.
Figure6.DerivationofMAConasignalingmessage
IK f9 IK f9
MAC -I XMAC -I
Sender Receiver
UE or RNC RNC or UE
Security in UMTS 3G Mobile Networks
Security in UMTS 3G Mobile Networks
transport is based only on IP, then security may to various external threats. Moreover, inter-network
be provided either at the network layer exclusively communications are based on the public Internet,
using IPsec or in a combination of the application whichenablesIPspoofingtoanymaliciousthird
and network layer. For signaling protection at the party who gets access to it. In order to defeat
application layer the necessary SAs will be network- these vulnerable points, the mobile operators can
wide and they are negotiated by KAC similarly to use two complementary technologies: firewalls
the IP-based architecture (see Figure 8). End-to-end and VPNs (Gleeson, Lin, Heinanen, Armitage, &
protected signaling will be indistinguishable to Malis, 2000).
unprotectedsignalingtraffictoallparties, Firewallsexcept
can be characterized as a technology
for the sending and receiving sides. providing a set of mechanisms to enforce a security
It is worth noting that in Rel-4 the only protocol policy on data from and to a corporate network.
that is to be protected is the MAP. The complete They are established at the borders of the core
set of enhancements and extensions that facilitate networkallowingtrafficoriginatingfromspecific
the MAP security is termed MAPsec (3GPP TS foreign IP addresses. Thus, firewalls protect the
33.200, 2002). The MAPsec covers the security UMTS backbone from unauthorized penetration.
management procedures, as well as the security Furthermore,applicationfirewallspreventdire
of the transport protocol including data integrity, access through the use of proxies for services,
data origin authentication, anti-reply protection, which analyze application commands, perform
andconfidentiality.Finally,forIKEadaptation a and keeps logs.
authentication,
specificDomainofInterpretationisrequired. Since firewalls do not provide privacy and
confidentiality, VPNs have to complement them
traditional network security features to protect data in transit. VPN establishes a secure
tunnel between two points, encapsulates and en-
Besides the security features that are included in crypts data, and authenticates and authorizes user
the 3G security architecture, the mobile network access of the corporate resources on the network.
operators can apply traditional security technolo- Thus, they extend dedicated connections between
gies used in terrestrial networking to safeguard the remote branches or remote access to mobile us-
UMTS core network as well as the inter-network ers, over a shared infrastructure. Implementing a
communications. User data in the UMTS backbone VPNmakessecurityissuessuchasconfidentiality,
network are conveyed in clear-text exposing them integrity, and authentication paramount. There is a
Security in UMTS 3G Mobile Networks
Security in UMTS 3G Mobile Networks
Wireless Application Protocol (WAP) is a suite (2) indication of network wide encryption; and (3)
of standards for delivery and presentation of In- indication of the level of security (e.g., when a user
ternet services on wireless terminals, taking into moves from 3G to 2G).
account the limited bandwidth of mobile networks Configurability enables the mobile user and
as well as the limited processing capabilities of the HE to configure whether a service provision
mobile devices. It separates the network in two should depend on the activation of certain security
domains (i.e., the wireless and the Internet domain) features. A service can only be used when all the
and introduces a WAP gateway that translates the relevant security features are in operation. The
protocols used in each domain. The WAP archi- configurabilityfeaturesthataresuggestedincl
tecture has been standardized in two releases (ver. (1) enabling/disabling user-USIM authentication for
1.2.1 and ver. 2.0) (Wireless Application Forum, certain services; (2) accepting/rejecting incoming
n.d.). non-ciphered calls; (3) setting up or not setting up
In WAP 1.2.1 (see Figure 9a), security is ap- non-ciphered calls; and (4) accepting/rejecting the
plied by using the wireless transport layer security use of certain ciphering algorithms.
(WTLS) protocol (wireless application forum, n.d.)
over the wireless domain and the transport layer network-wide user data
security (TLS) protocol over the Internet domain. Confidentiality
WTLS, which is based on TLS, provides peers
authentication, data integrity, data privacy, and Network-wide confidentiality is an option that
protection against denial-of-service in an optimized provides a protected mode of transmission of user
way for use over narrow-band communication data across the entire network. It protects data
channels. However, WAP 1.2.1 does not support against eavesdropping on every link within the
end-to-end security, since the conveyed data are network and not only on the vulnerable radio links.
protected by two separate security channels (i.e., Whenevernetwork-wideconfidentialityisapplied,
WTLS security channel and TLS security chan- accesslinkconfidentialityonuserdatabetweent
nel). MS and the RNC is disabled to avoid replication.
On the other hand, WAP 2.0 (see Figure 9b) However,accesslinkconfidentialityforsignaling
introduces the Internet protocol stack into the informationaswellasuseridentityconfidential
WAP environment. It allows a range of different are retained to facilitate the establishment of the
gateways, which enable conversion between the encryption process. In Figure 10, the network-wide
two protocol stacks anywhere from the top to the encryption deployment is depicted.
bottom of the stack. A TCP-level gateway allows Network-wide confidentiality uses a syn-
for two versions of TCP, one for the wired and chronous stream cipher algorithm similar to that
another for the wireless network domain. On the employed in the access link encryption. Initially,
top of the TCP layer, TLS can establish a secure a data channel is established between the com-
channel all the way from the MS to the remote municating peers indicating also the intention
server.Thus,theavailabilityofawireless profile encryption. VLRa and VLRb
for network-wide
for TLS enables end-to-end security allowing exchange cipher keys (Ka and Kb) for users a and
interoperability for secure transactions. b, respectively, using cross boundaries signaling
protection, and then, pass them to the MSs over
Security Visibility and Configurability protected signaling channels. When each MS has
received the other party’s key, the end-to-end
Although the security measures provided by the session key, Ks, is calculated as a function of Ka
SN should be transparent to the end user, visibility and Kb. Alternatively, VLRs can mutually agree
of the security operations as well as the supported on the Ks using an appropriate key agreement
security features should be provided. This may in- protocol. Both key management schemes satisfy
clude: (1) indication of access network encryption; the lawful interception requirement, since Ks can
be generated by the VLRs.
Security in UMTS 3G Mobile Networks
Security in UMTS 3G Mobile Networks
was generated by the HE. On the other hand, he/she because of the static configuration of firewalls
cannot determine if an authentication vector was may potentially lead to discontinuity of service
requested by the SN, since the authentication vector connectivity for the mobile user. Moreover, the
could have been requested by any SN. Thus, the firewalls security value is limited because th
adversary owing a false base/mobile station device allow direct connection to ports and cannot dis-
(i.e., a device that emulates a base station and a tinguish services.
mobile station) can impersonate as a genuine base Similarlytofirewalls,theVPNtechnologyfails
station and entices a legitimate user to camp on to provide the necessary exibility fl required by
the radio channels of the false base station. The typical mobile users. Currently, VPNs for UMTS
adversary can also impersonate as a legitimate subscribers are established in a static manner
mobile station and establishes connection with a between the border gateway of a UMTS network
genuine base station. This fact allows the adversary and a remote security gateway of a corporate
to relay messages in between a legitimate mobile private network. This fact allows the realization
station and a genuine base station realizing the of VPNs only between a security gateway of a
redirection attack. This attack represents a real large organization and a mobile operator, when
threat since the security levels provided by different a considerable amount of traffic requires - protec
networks are not always the same. In addition, it tion. Thus, this scheme can provide VPN services
could cause billing problems as the service rates neither to individual mobile users that may require
offered by different networks are not always the on demand VPN establishment, nor to enterprise
same, either. users that may roam internationally. In addition,
Thesecondsecurityaw fl thatisrelated static toVPNs
thehavetobereconfiguredeverytimethe
UMTS authentication (Zhang & Fang, 2005) al- VPN topology or VPN parameters change.
lows an adversary to use the authentication vec- On the other hand, if a mobile user uses the
tors corrupted from one network to impersonate WAP architecture (ver. 1.2.1), data privacy is not
other networks. When a network is corrupted, an guaranteed. Although encryption is used, the WAP
adversary could forge an authentication data request gateway constitutes a security hole since inside
from the corrupted network to obtain authentica- the gateway data are transmitted un-encrypted.
tion vectors for any user, independent of the actual WTLS is only used between the mobile device
location of the user. Then, the adversary could use and the gateway, while TLS can be used between
the obtained authentication vectors to impersonate the gateway and the Web server. From a security
uncorrupted networks and to mount false base sta- point of view, the gateway should be considered
tion attack against legitimate users. Therefore, the as an entity-in-the-middle. This means that
corruption of one network may jeopardize the entire data exchanged may be available to people with
system. For this reason, it is critical that security privileged access to the WAP gateway and thus,
measures are in place in every network. the privacy of the data depends on the gateway’s
The application of firewalls in G3 systems internal security policy.
presents some weaknesses since they were origi- WAP 2.0 does address the “gap” in security
nallyconceivedtoaddresssecurityissues caused byfor fixed translation at the WAP gateway
protocol
networks. Firewalls attempt to protect the clear- of the previous version (ver. 1.2.1). However, the
text transmitted data in the UMTS backbone from mobile phone would have to use an IP protocol
external attacks, but they are inadequate against stack at the expense of larger latency and band-
attacks that originate from other mobile network width consumption. Although TLS can be used
malicious subscribers, as well as from network to secure the communication of any application,
operator personnel or any other third party that it must be integrated into the application and thus,
gets access to the UMTS core network. Mobility to a large extent it is used for Web-based applica-
may imply roaming between networks and opera- tions. Interaction with the end user is needed, for
tors possibly changing the source address, which example, to check with whom a secure session has
0
Security in UMTS 3G Mobile Networks
been established or to explicitly request the client porary identities will reside at the SN (TMSIALT),
to authenticate with the server. TLS is generally and the second one at the home network of the
a resource consuming protocol for deployment mobile user (TMSIHE). When the VLR of the SN
in mobile devices with limited processing capa- fail to page a mobile user using the current TMSI,
bilities and low bandwidth/high latency wireless it can try to page him/her using the alternative
networks. Moreover, the operation overhead may temporary identity (TMSIALT), which also resides
be increased by complex key-exchange procedures in the VLR. In case of a VLR database failure or a
in case the protected service contains cross-refer- corruption of the temporary identities (i.e., TMSI
ences to other services. and TMSIALT) that resides in the VLR, the VLR
Finally, the network-wide encryption may also requests the temporary identity (i.e., TMSIHE) from
encounter problems when transcoding is used. the home network by which it can page the mobile
Voice calls may need to be transcoded when they user. This identity resides in the user’s home net-
cross network borders, meaning that voice data work in order to avoid a possible corruption after
may have to undergo change such as bit-rate change a database (VLR) failure. In case that none of the
or some other transformation. It is not possible to TMSI is valid or all of them are corrupted, the user
apply such transformation on an encrypted signal, is not attached to the network.
which implies that the signal has to be decrypted Both the additional temporary identities (i.e.,
before transcoding. Furthermore, the network-wide TMSIALT and TMSIHE) derive from the current
confidentiality lacks exibility fl and
- it
TMSI.is not ap consists of four octets and its
The latter
plicable to all types of service in different mobile generation procedure is chosen by the mobile opera-
scenarios. Specifically, it is limited to tor.protecting
However, some general guidelines are applied
the communication between mobile subscribers. in all implementations in order to avoid double al-
location of TMSIs, after a restart of the allocating
node (i.e., VLR or SGSN). For this reason, some
currEnt rEsEArcH on uMts part of the TMSI may be related to the time when
sEcurIty it was allocated or contained a bit field, which is
changed when the allocating node has recovered
The weak points of the UMTS security architecture from the restart. After the generation of a TMSI,
may lead to compromises of end users and network the allocating node applies two individual hash
security of the UMTS system. These compromises functions (i.e., HASHALT and HASHHE), which
may influence the system deployment and the produce the corresponding TMSIALT and TMSIHE,
users’ trend to utilize UMTS for the provision of respectively. Then, the allocating node forwards
advanced multimedia services, which realizes the the three temporary identities to the involved
concept of mobile Internet. In the following, the mobile user and the TMSIHE to its home network.
current research on the UMTS security and the In cases that the home and the SN are the same,
proposed enhancements that aim at improving the the TMSIHE can be stored in HLR, which is not
UMTSsecurityarchitecturearebrieflypresented affected by the reasons that corrupt the other
and analyzed. two temporary identities. Finally, each time that
the current TMSI is renewed, the two additional
Identity Confidentiality temporary identities change in order to eliminate
the possibility of an adversary to link them to the
permanent user’s identity.
To limit the exposure of the permanent identities
(IMSI) of mobile users over the vulnerable radio
interface, the additional usage of two complemen- Authentication and key Agreement
tary temporary identities for each mobile subscriber
that is attached to the network has been proposed To address the security issues involved with the
(Xenakis & Merakos, 2004b). One of these tem- authentication and key agreement procedure Zhang
Security in UMTS 3G Mobile Networks
and Fang (2005) have proposed an adaptive proto- user data security
col for mobile authentication and key agreement,
called AP-AKA. The proposed protocol can defeat Another weakness of the current UMTS security
the redirection attack and may drastically lower architecture that can be overcome is related to
the impact of network corruption. An overview of the lack of effective protection of user data in the
AP-AKA is shown in Figure 11. fixedpartoftheUMTSnetwork.Toaddressthis
The AP-AKA protocol retains the framework problem, two alternative security solutions, which
of the legacy authentication and key agreement, but are based on existing security technologies, can
eliminates the synchronization required between be used: (1) the application layer security, and (2)
themobilestationanditshomenetwork MS thei.
( establishment
e.SQN
, of mobile VPNs, dynamically,
andSQN HE). In AP-AKA, each mobile station and that satisfy users’ needs.
its home network share an authentication key K and Application layer security solutions integrate
three cryptographic algorithms F, G, and H, where security into applications at the level of end us-
F and H are MACs and G is a key generation func- ers. The most prominent protocol that provides
tion. In practice, the authentication key is usually security at this layer for the Internet technology
generated by the home network and programmed is the Secure Sockets Layer (SSL) protocol (Gupta
into the mobile station during service provisioning. & Gupta, 2001). SSL supports server authentica-
Unlike the legacy authentication and key agreement, tion using certificates, data confidentiality, a
the home network in AP-AKA does not maintain message integrity. Since SSL is relatively “heavy”
a dynamic state, for example, the counter, for each for implementations on mobile devices, which are
individual subscriber. The mobile station can verify characterized by limited processing capabilities,
whether an AV was indeed requested by a SN and a lightweight version of SSL named “KiloByte”
was not used before by the SN. The AP-AKA SSL (KSSL) has been proposed (Gupta & Gupta,
protocol specifies a sequence of six flows. Each 2001). This SSL implementation (KSSL) provides
flow defines a message type and format sent or an advantage by enabling mobile devices (UMTS
received by an entity. Depending on the execution MS) to communicate directly and securely with a
environment, entities have the flexibility of adap- considerable number of Internet Web servers that
tively selecting flows for execution, and thus the support SSL.
AP-AKA is called an adaptive protocol.
Security in UMTS 3G Mobile Networks
An alternative approach to the previous solu- & Merakos, 2004a), (2) the network-wide (Xenakis
tions that employ security at the application layer & Merakos, 2006), and (3) the border-based (Xe-
pertains to these that employ security at the network nakis, Loukas, & Merakos 2006). These schemes
layer. The most prominent technique for provid- mainly differ in the position where the security
ing security at the network layer is IPsec (Kent functionality is placed within the UMTS network
& Atkinson, 1998). As a network layer security architecture (MS, RNC, and GGSN), and whether
mechanism, IPsec protects traffic on - a per
data con
in transit are ever in cleartext or available to
nection basis and thus, is independent from the be tapped by outsiders.
applications that run above it. In addition, IPsec The end-to-end security scheme integrates the
is used for implementation of VPNs (Gleeson et VPN functionality into the communicating peers,
al., 2000). An IPsec-based VPN is used for the whichnegotiateandapplysecurity. - Morespecifi
authentication and the authorization of user ac- cally, an MS and a remote security gateway (SG)
cess to corporate resources, the establishment of of a corporate private network establish a pair of
secure tunnels between the communicating parties IPsec SAs between them, which are extended over
and the encapsulation and protection of the data the entire multi-nature communication path, as
transmitted by the network. On-demand VPNs shown in Figure 12. Thus, sensitive data are secured
that are tailored to specific security as theyneeds
leave theare
originator site (MS or SG) and
especially useful for UMTS users, which require remain protected while they are conveyed over the
any-to-any connectivity in an ad hoc fashion. Re- radio interface, the GPRS backbone network, and
garding the deployment of VPNs over the UMTS the public Internet eliminating the possibilities of
infrastructure, three alternative security schemes being intercepted or to be altered by anyone.
have been proposed: (1) the end-to-end (Xenakis The deployed end-to-end VPN has no inter-
relation with the underlying network operation
Security in UMTS 3G Mobile Networks
and the provided network connectivity. It operates the border-based (Xenakis et al., 2006) schemes
above the network layer and thus, the security integrate the VPN functionality into the UMTS net-
parameters, which are contained within the IPsec work infrastructure following a network-assisted
SA, are not affected by the MS movement. For this security model. In both schemes a MS initiates a
reason the MS may freely move within the UMTS VPN that is negotiated and established by the net-
coverage area maintaining network connectivity work infrastructure thus minimizing the impact to
and VPN service provision. The UMTS mobility end users and their devices. The network operators
management procedures keep track of the user provide the security aggregation facilities, which
location and therefore, the incoming packets are are shared among the network subscribers, as a
routed to the MS. On the other hand, the end-to- complementary service, granting-added value.
end security scheme is not compatible with the They have solid network management expertise
legal interception option or any other application and more resources to effectively create, deploy,
that requires access to the traversing data within and manage VPN services originating from mobile
the mobile network. The enforcement of network subscribers.
security policy, traditionally performed by border For the deployment of both security schemes
firewalls,isdevolvedtoendhosts,which (i.e.,establish
network-wide and border-based) the MS must
VPN overlays. Despite this, the borderbe firewalls
enhanced with a security client (SecC) and the
remaintoperformpacketfilteringandUMTS counteract
core network should incorporate a security
against denial of service attacks. server (SecS). The SecC is employed by the user
Contrary to the end-to-end security scheme, to request for VPN services and express his pref-
the network-wide (Xenakis & Merakos, 2006) and erences. It is a lightweight module that does not
Security in UMTS 3G Mobile Networks
entail considerable processing and memory capa- tire network route between the originator and the
bilities and thus, it can be easily integrated in any recipient. In order to achieve VPN continuity as a
type of mobile device causing minor performance mobile user moves and roams, the standard UMTS
overhead. On the other side, the SecS establishes, mobility management procedures needs to be
controls, and manages VPNs between itself and enhanced. The enhancements include the transfer
remote SGs at corporate LANs on behalf of the of the related context (named as security context),
mobile users. The SecS comprises an IPsec imple- which contains the details of the deployed security
mentationmodifiedtoadapttotheclient- initiated
associations that pertain to the moving user, to the
VPN scheme and the security service provision new visited access point. This transfer enables
in a mobile UMTS environment. It can be readily the reconstruction of the security associations of
integrated in the existing network infrastructure the moving user to the new visited access point,
and thus, both schemes can be employed as add-on when the user connects to it, providing continu-
features of UMTS. ous VPN services from the end-user perspective.
The network-wide scheme (see Figure 13) The network-wide scheme is compatible with legal
integrates the SecS into the RNC of the UMTS interception; however, User Datagram Protocol
network infrastructure. This scheme provides (UDP) encapsulation is applied for Network Ad-
maximal security services to the communicating dress Translation (NAT) traversal. Finally, the
peers by employing the existing UMTS ciphering network security policy is enforced by the SGSN,
over the radio interface and extending a VPN over which incorporates the SecS.
the UMTS backbone and the public Internet. Thus, By placing the SecS in the GGSN, the border-
sensitive user data remains encrypted for the en- based VPN deployment scheme is realized (see
Security in UMTS 3G Mobile Networks
Security in UMTS 3G Mobile Networks
3rd Generation Partnership Project (3GPP) TS Xenakis, C., Loukas, N., & Merakos, L. (2006,
33.200 (v4.3.0). (2002). G3 security; NetworkApril). A secure mobile VPN scheme for UMTS.
domain security; MAP application layer - secu
In Proceedings ofEuropeanWireless Ath-026,
rity. Sophia-Antipolis Cedex, France: Author. ens, Greece.
Retrieved from ftp://ftp.3gpp.org/specs/2006-12/
Xenakis, C., & Merakos, L. (2004a). IPsec-based
Rel-4/33_series
end-to-end VPN deployment over UMTS. Com-
3rd Generation Partnership Project (3GPP) TS puter Communications, 27(17), 1693-1708.
33.210 (v5.1.0). (2002). G3 security;Network - do
Xenakis, C., & Merakos, L. (2004b). Security in
main security: IP network layer security. Sophia-
third generation mobile networks. Computer Com-
Antipolis Cedex, France: Author. Retrieved from
munications, 27(7), 638-650.
ftp://ftp.3gpp.org/specs/2006-12/Rel-5/33_series
Xenakis, C., & Merakos, L. (2006). Alternative
3rd Generation Partnership Project (3GPP) TR
schemes for dynamic secure VPN deployment
33.908 (v3.0.0). (2000). G3 security; General - re
over UMTS. Wireless Personal Communications,
port on the design, specification and evaluation
63 (2), 163-194.
of GPP
3 standards confidentiality and integrity
algorithms. Sophia-Antipolis Cedex, France: Au- Zhang, M., & Fang, Y. (2005). Security analysis
thor. Retrieved from ftp://ftp.3gpp.org/specs/2006- and enhancements of 3GPP authentication and key
12/R1999/33_series agreement protocol. IEEE Transactions on Wireless
Communications, 4(2), 734-742.
3rd Generation Partnership Project (3GPP) TS
35.205 (v3.0.0). (2001). G3 security;Specification
of the MILENAGE set: An example algorithm set
for the 3GPP authentication and key generation kEy tErMs
functions f1, f1, * f2, f3, f4, f5, and f5. * Sophia-
Antipolis Cedex, France: Author. Retrieved from International mobile subscriber identity
ftp://ftp.3gpp.org/specs/2006-12/Rel-4/35_series (IMSI): IMSI is a unique number associated
Gleeson, B., Lin, A., Heinanen, J., Armitage, G., with all UMTS network mobile phone users.
& Malis, A. (2000). A framework for IP based Internet key exchange (IKE): IKE is a
virtual private networks (RFC 2764). Retrieved protocol used to set up a security association
from http://tools.ietf.org/html/rfc2764 (SA) in the IPsec protocol suite.
Gupta, V., & Gupta, S. (2001). Securing the wire- IP security (IPsec): IPsec is a suite of
less Internet. IEEE Communications Magazine, protocols for securing IP communications by
93 (12), 68-74. authenticating and/or encrypting each IP packet
Harkins, D., & Carrel, D. (1998). The Internet in a data stream.
key exchange (IKE) (RFC 2409). Retrieved from Temporary mobile subscriber identity
http://www.ietf.org/rfc/rfc2409.txt (TMSI): TMSI is a randomly allocated num-
Kent, S., & Atkinson, R. (1998). Security architec- ber that is given to the mobile the moment it is
ture for the Internet Protocol (RFC 2401). Retrieved switched on and serves as a temporary identity
from http://www.ietf.org/rfc/rfc2401.txt between the mobile and the network.
Wireless Application Forum (WAP). (n.d.). WAP Third generation (3G): 3G is a technology
specifications. Retrieved from http://www.wapfo- context of mobile phone standards. The
in the
rum.org/what/technical.htm services associated with 3G include wide-area
wireless voice telephony and broadband wire-
less data, all in a mobile environment.
Security in UMTS 3G Mobile Networks
Chapter XXI
Access Security in UMTS
and IMS
Yan Zhang
Simula Research Laboratory, Norway
Yifan Chen
University of Greenwich, UK
Rong Yu
South China University of Technology, China
Supeng Leng
University of Electronic Science and Technology of China, China
Huansheng Ning
Beihang University, China
Tao Jiang
Huazhong University of Science and Technology, China
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Access Security in UMTS and IMS
0
Access Security in UMTS and IMS
The authentication protocol is based on a perma- means of the authentication function f1-f5, where
nent secret key K (128-bit) that is shared between for instance the function f1 is employed to compute
the UE and HLR/AuC. The AKA mechanism can XRES, the function f2 is used to compute RES,
be divided into two phases: the distribution of au- and the function f3 is used to compute CK ( 3G
thentication vector (DAV) from the HLR/AuC to the TS 33.105; 3G TS 35.205; 3G TS 35.206). After
SGSN as shown in Figure 3, and the authentication successfully generating n AVs, AuC sends back
and key establishment between the UE and the the AV array to SGSNn via the message authen-
core network as illustrated in Figure 4. tication data response, and SGSNn saves these n
AVs for the particular UE. It is noteworthy that
distribution of Authentication vector this phase executes not only upon UE entering a
new SGSN area, but also when there are no AVs
When a UE leaves an old SGSN (SGSNo) and available upon an action arrival which requires
moves into the coverage of a new SGSN (SGSNn), authentication.
SGSNn has no corresponding record for the UE,
which makes it necessary to authenticate the UE Authentication and key
prior to the subsequent behavior. SGSNn will Establishment
delivery the message authentication data request
(ADR) to the HLR/AuC with the UE’s unique For each activity triggering authentication request
IMSI.BasedonthereceivedIMSI,AuCcanfind such as call origination, paging, or location update
the associated record in its database and hence the the SGSN initiates the challenge user authentica-
according master key K for this particular UE. tion request (UAR) message to the UE with the
Then, HLR/AuC generates the number of n AV parameters RAND and AUTN, which is retrieved
instead of single one AV for the sake of saving from the ith i
( =…n)
,2 1 AV in the first-in-first-
signaling overhead. The AV structure is comprised out (FIFO) manner. Upon receiving the AV, the
offivecomponents:a ) 1 ( randomnumberRAND, UE checks the validity of AUTN. For this goal,
(2) an expected authentication response XRES, (3) the UE retrieves SQN component AUTNfrom
a cipher key CK, (4) an integrity key IK, and (5) and calculates expected message authentication
a network authentication token AUTN ( 3G TS code for authentication (XMAC-A). The UE then
23.060). In each generation, an AV is calculated by compares X-MAC-A and message authentication
Access Security in UMTS and IMS
code for authentication (MAC-A) component in tion, the subscriber identification, location, u
AUTN, if they are equal to each other, then the data, and signaling data should be encrypted.
networkisverified.Otherwise,theUErejectsthe
UAR and hence the network. After the network
is identified, UE checks the SQN freshness, that sEcurIty In IMs
AccEss
is, the SQN has never been used before. When
the network succeeds, the UE then computes the There are three entities relevant to the IMS security
authentication response RES from the received architecture (see Figure 5). A proxy call session
RAND value and sends it in a user authentication control function (P-CSCF) locates in the serving
response message to the SGSN. If RES equals networkofaUEandactsasthefirstaccesspoint
the expected response XRES, then the UE is in the serving network. P-CSCF is responsible for
successfully authenticated. Since there are n AVs forwarding SIP messages of an UE to the home
generated and recorded in SGSNn during each network. A serving call session control function
operation of DAV while only one AV is used dur- (S-CSCF) locates in the home network to provide
ing an authentication event, the signaling between session control of multimedia services and acts
SGSN and HLR/AuC during DAV is not needed as SIP registrar or SIP proxy server. The S-CSCF
for every authentication event. sends messages toward the home subscriber server
It is believed that, after the AKA procedure, all (HSS) and the AuC to receive subscriber data and
messages are claimed integrity protection, and the authentication information. An interrogating call
signalingdataaswellasuserdata - are confidential
session control function (I-CSCF) locates in the
ity protection. In the sense of integrity protection, home network and acts as a SIP proxy toward the
the content of signaling messages should not be home network. I-CSCF is responsible for selecting
manipulated.Withregardtoconfidentiality - protec
an appropriate S-CSCF for the UE and forwarding
SIP requests/responses toward the S-CSCF.
Figure5.IMSnetworkarchitecture
Access Security in UMTS and IMS
Figure6.GPRSauthentication
Access Security in UMTS and IMS
TION-INFO Request (IMSI) message to the in Figure 7 (CWTS TSM 03.20; 3G TS 29.229).
HLR/AuC with the parameter IMSI uniquely This procedure includes the IMS authentication
identifying the UE. and the IMS registration. In particular, the steps
3. Upon receiving the authentication request, include:
the HSS/AuC searches the according record
in the database on the basis of IMSI. Then, 1. To start registration, the UE sends a SIP
HSS/AuC generates an ordered array of n REGISTER (IMPI, IMPU) message to
AVs for the specific UE. Each AV consists the P-CSCF in the serving network. On the
of the following components: a random num- receipt, the P-CSCF forwards the registration
ber RAND, an expected response XRES, a request to the I-CSCF of the home network.
cipher key CK, an integrity key IK, and an I-CSCF then delivers the message to a chosen
authentication token AUTN. The HSS/AuC S-CSCF.
then sends back the message MAP-SEND- 2. If the S-CSCF has at least one AV for the UE,
AUTHENTICATION-INFO Response to then steps 2 and 3 are skipped. Otherwise,
SGSN with the AV array as parameters. the S-CSCF has to obtain AVs from the entity
4. SGSN stores these n AVs for the particular HSS/AuC. S-CSCF triggers the procedure
UE and shall choose the next unused AV DAV by sending a Cx-AV-Req(IMPI, n)
in the ordered AV array. Subsequently, the message to the HSS/AuC with the parameter
SGSN shall challenge the UE and sends mes- IMPI uniquely identifying the UE and the
sage GMM Authentication and Ciphering number of n AVs wanted.
Request with parameters RAND and AUTN 3. Upon receipt of a request from the S-CSCF,
populated from the selected AV. the HSS/AuC searches the database on the
5. The UE checks the validness of the received basis of the unique IMPI, obtains the sub-
AUTN. In case it is acceptable, the UE shall scriber profile, and generates an ordered
calculate a response RES and send back array of nAVsforthespecificUE.EachAV
to the SGSN through the message GMM consists of the following components: a ran-
Authentication and Ciphering Response. dom number RAND, an expected response
The SGSN retrieves the expected response XRES, a cipher key CK, an integrity key
XRES from the selected AV and compares IK, and an authentication token AUTN. Each
XRES with the received response RES. If AV is good for only one authentication and
they match, the authentication and key agree- key agreement between the IMS subscriber
ment is successfully completed and the keys and the S-CSCF. The HSS/AuC then sends
CK and IK are retrieved for the following back the message Cx-AV-Req-Resp(IMPI,
signalingconfidentialityandintegrity - protec
RAND1||AUTN1||XRES1||CK1||IK1,…,
tion. RANDn||AUTNn||XRESn||CKn||IKn) to
6. The SGSN sends a GMM Attach Accept the S-CSCF with the array of AV as param-
message to the UE to indicate the completion eters.
of the successful attach procedure. .4 TheS-CSCFchoosesthefirstunusedAVin
the array of AVs based on FIFO policy. From
the selected AV, the items RAND, AUTN,
IMs AutHEntIcAtIon IK, and CK are populated. The S-CSCF
sends the message SIP 4xx-Auth-Challenge
After the procedures of GPRS authentication, (IMPI, RAND, AUTN, IK, CK) to the I-
GPRS registration and PDP context activation, the CSCF, which then forwards the message to
UE has the IP address of the P-CSCF and is able P-CSCF. Upon the receipt, the P-CSCF shall
to access the IMS services through the registration store the two keys IK and CK and remove
procedure using SIP and Cx commands as shown thekeyinformationandfinallyforwardthe
Access Security in UMTS and IMS
rest of the message SIP 4xx-Auth-Challenge subscriber profile to the S-CSCF. HSS
(IMPI, RAND, AUTN) to the UE. shall send a Cx-Pull Response to the
.5 TheUEverifiesthefreshnessofthereceived S-CSCF with the indicated information.
AUTN and calculates a response RES. This 8. The S-CSCF sends SIP 200 OK mes-
result RES is sent back from the UE to the P- sage to the UE through the I-CSCF and
CSCF through the message SIP REGISTER P-CSCF. After this step, a security as-
(IMPI, RES). After receiving the request, sociate (SA) is active for the protection
the P-CSCF forwards it to the I-CSCF, which of subsequent SIP messages between the
further forwards the authentication response UE and the P-CSCF.
to the S-CSCF. The S-CSCF retrieves the
expected response XRES and compares
XRES and the received response RES. If they futurE trEnds
match, the authentication and key agreement
is successfully completed. Next three steps security Management in
perform registration. Heterogeneous network
6. The S-CSCF sends a Cx-Put message to
the HSS/AuC with the UE identity. The The next generation wireless mobile networks
HSS shall store the S-CSCF name, which are characterized as the co-existent of the variety
is presently serving the UE, and then sends of network architectures, protocols, and applica-
the Cx-Put Response for acknowledge- tions due to the diverse requirements for data rate,
ment. radio coverage, deployment cost, and multimedia
7. Next, the S-CSCF sends a Cx-Pull to the service. The 3GPP is actively specifying the roam-
HSS/AuC with the UE identity in order to ing mechanism in the integrated wireless LAN
download the related information in the (WLAN)/UMTS networks. It should be noted
Access Security in UMTS and IMS
thatthisscenarioisonlyaspecificheterogeneous thesecurityandQoS.Theauthorsintroducedthe
network. The IEEE 802.16 standard is an emerging system model based on the widely used challenge/
broadband wireless access system specified for
response mechanism. Then, a concept of security
wireless metropolitan area networks (WMAN) level is introduced to describe the different level
with the aim to bridge the last mile, replacing of communication protection with regard to the
costly wireline and also providing high speed nature of security, that is, information secrecy, data
multimedia services in fast moving transportation. integrity,andresourceavailability.Bytakingtra
The recently amended 802.16e adds a mobility and mobility patterns into account, the technique
componentforWMANanddefinesbothphysical establishes a quantitative connection between the
and MAC layers for combined fixed and mobile securityandQoSthroughtheauthenticationan
operations in licensed bands. It is envisaged that the facilitates the evaluation of overall system perfor-
futuregenerationwirelessnetworks isthe
mance underexible
fl diverse security levels, mobility and
and seamless integration of the three technologies trafficprocesses.
WLAN, WMAN, and wireless wide area network Generally, a UE is powered by battery and
(WWAN), where WLAN (e.g., IEEE 802.11 Wi-Fi) hence the mechanism in efficiently utilizing the
serves as the hot-spot access area for short-range limited energy is becoming very important. In
and very high speed; WMAN (e.g., IEEE 802.16 case of more frequent authentication to increase
WiMAX) serves as the metropolitan-wide access the security, the UE will consume more energy.
network with high data rate and WWAN (e.g., With fewer authentications incurring potential
UMTS) provides the national-wide network with vulnerability, the UE is able to enlarge its life-
relatively low data rate. The substantial technical time before re-charging. As a consequence, there
challenge is to design and implement the security is a trade-off between the security and energy
architectures and protocols across such heteroge- management. Potlapally, Ravi, Raghunathan,
neous networks taking into account the seamless and Jha (2003) provided energy consumption
mobility,scalability,andperformanceempirical efficiency. measurements for a variety of ciphers,
hash functions, and signature algorithms. Based
security-Mobility Management on the observations, the study presented some
Interaction and security-Energy reasoning about the energy-security trade-offs in
tradeoff determining key length. However, no analytical
models have been proposed to evaluate the energy-
The performance of security management has a security trade-offs or make the intelligent decision
close interaction with the framework of mobility on trade-off.
management. Mobility management includes two
components: location management and handoff Higher security Protocols
management (http:www.3gpp2.org). There are two
operations in the location management: updating Although AKA has been standardized, the proto-
the UE location and paging the UE. In UMTS, colhastwosignificantweaknesses:HLR/ ) 1 ( AuC
SGSN shall authenticate a UE when the SGSN does not verify whether the information sent from
receives an “Initial L3 message” sent from UE. the visiting location register (VLR)/SGSN is valid
This message is triggered by the actions, includ- or not. That is, AKA has assumed that the link
ing location update request, connection manage- between VLR/SGSN and HLR/AuC is adequately
ment request, routing area update request, attach reliable; and (2) for the UMTS integrity protection
request, and paging response. It is clear that all mechanism, integrity key is transmitted without
these events are closely relevant to the user’s mo- encryption and the user data are not protected.
bility management architecture and mechanism. New strategies shall be designed to address these
Liang and Wang (2005) constructed an analytical issues.
model to evaluate the impact of authentication on
Access Security in UMTS and IMS
HarnandHsinidentified
) 30 2 ( anddiscussed before all AVs are used up. Comparing with the
the inefficiency and complexity in keeping original
and GPP 3 Technical Specification TS320 1 . 3
managing the sequence number during the network (2000), the proposed strategy is able to achieve
authentication. Based on the combination of hash very low probability in waiting for an available
chaining and keyed-hash message authentication AV with negligible increased signaling overhead
code techniques, an enhanced scheme is proposed and low storage cost. The study in Al-Saraireh
to simplify the protocol implementation and si- and Yousef (2006) also analyzes the transmission
multaneously provide strong periodically mutual overhead during the procedure of AKA. It is pro-
authentication. posed that security protocols performance should
Zhang and Fang (2005) showed that the 3GPP be evaluated from the security perspective and
AKA protocol is vulnerable to a variant of the fake also from the signaling overhead point of view.
BS attack. The vulnerability allows an adversary New security protocols should consider to combat
toredirectusertrafficfromonenetwork toanother
potential vulnerability as well as to introduce low
and to re-use corrupted AVs from one network additional signaling cost.
to all other networks. To address such security
problems in the current 3GPP AKA, the authors
presented a new authentication and key agreement conclusIon
protocol AP-AKA which defeats redirection at-
tack and drastically lowers the impact of network This chapter gives an overview on the security man-
corruption. agement in the next generation wireless networks.
The AKA process is described and its extension
security Protocols Performance in GPRS authentication and IMS authentication
are further discussed in detail. The identifie
Security architecture and protocol are normally research challenges shall serve as the guidance
evaluatedtoguaranteethesecurity, confidentiality,
for the further study to propose more efficient
and integrity requirement. Recently, a few studies security protocols taking into account the network
have appeared to investigate the authentication architecture heterogeneity, the energy-security
signaling traffic performance due to the rapidly
trade-offs, the mobility-security interaction, and
increasing number of subscribers and consequently comprehensive performance evaluation.
potentially high authentication requests and heavy
burden on the signaling networks. Lin and Chen
(2003) argue the disadvantages in fetching the rEfErEncEs
constant number of AV from HLR/AuC. Based
on the observations of the mobility pattern, the 3rd Generation Partnership Project (3GPP) (1999).
authors proposed an adaptive scheme to generate Technical specification core network; Mobile
an optimal number of AV array, which is able to application part MAP) ( specification
. Technical
significantly reduce the authentication signaling
Specification G3 TS 0.2 9 V30. 7 . ) 20(1 -
trafficandhencesavethelimitedbandwidth - utiliza
Sophia Antipolis Cedex, France: Author.
tion. Zhang and Fujise (2006) argue the long delay
problem and proposed a mechanism to address the 3rd Generation Partnership Project (3GPP). Techni-
issue. In particular, when the two entities SGSN calSpecificationGroupCoreNetwork; - MobileRa
and HLR/AuC locate far away from each other, the dio Interface Layer Specification;
3 Core Network
response for an available AV may be potentially ProtocolsStagefor 3 Release02,.9 1 3G TS
very long. The consequence of long delay includes 24.008 version 3.6.0 (2000-12). Sophia Antipolis
call blocking and location update failure, and hence Cedex, France: Author.
degradedQoS.Toaddressthisproblem,the study Partnership Project (3GPP). Tech-
3rd Generation
proposed an enhanced scheme to fetch AV earlier nical Specification Group Services and Systems
Access Security in UMTS and IMS
Access Security in UMTS and IMS
0
Chapter XXII
Security in 2.5G Mobile Systems
Christos Xenakis
University of Piraeus, Greece
AbstrAct
The global system for mobile communications (GSM) is the most popular standard that implements sec-
ond generation (2G) cellular systems. 2G systems combined with general packet radio services (GPRS)
areoftendescribedas2.5G,thatis,atechnologybetweenthe2Gandthirdgeneration(3G)ofmob
systems. GPRS is a service that provides packet radio access for GSM users. This chapter presents the
securityarchitectureemployedin2.5GmobilesystemsfocusingonGPRS.Morespecifically,these
measures applied to protect the mobile users, the radio access network, the fixed part
and the related data of GPRS are presented and analyzed in detail. This analysis reveals the security
weaknesses of the applied measures that may lead to the realization of security attacks by adversaries.
These attacks threaten network operation and data transfer through it, compromising end users and
networksecurity.Todefeattheidentifiedrisks,currentresearchactivitiesontheG
a set of security improvements to the existing GPRS security architecture.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
cn
gi
Auc
ggsn
Pstn H
gc
d Hlr gr gn
g Msc
f EIr gf sgsn gp
E vlr
A gb
bss
bsc
Abis Abis
bts bts
um
Ms
GSN (SGSN) is responsible for the delivery of data gPrs sEcurIty ArcHItEcturE
packets from, and to, an MS within its service area.
Its tasks include packet routing and transfer, mo- In order to meet security objectives, GPRS em-
bility management, logical link management, and ploys a set of security mechanisms that constitutes
authentication and charging functions. A gateway the GPRS security architecture. Most of these
GSN (GGSN) acts as an interface between the mechanisms have been originally designed for
GPRS backbone and an external PDN. It converts GSM, but they have been modified to adapt to
the GPRS packets coming from the SGSN into the packet-oriented traffic nature and the GPRS
the appropriate packet data protocol (PDP) format network components. The GPRS security archi-
(e.g., IP), and forwards them to the corresponding tecture, mainly, aims at two goals: (1) to protect
PDN. Similar is the functionality of GGSN in the the network against unauthorized access, and (2)
opposite direction. The communication between to protect the privacy of users. It includes the fol-
GSNs (i.e., SGSN and GGSN) is based on IP tunnels lowing components (GSM 03.20, 1999):
through the use of the GPRS tunneling protocol
(GTP) (3GPP TS 09.60, 2002). • Subscriber identity module (SIM)
• Subscriberidentityconfidentiality
• Subscriber identity authentication
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
ki ki
A3 A3
Authentication response (GPRS-SRES) ? check
ki
A8 A8
ki
sIM
gPrs-kc
gPrs-kc
data
A5 Protected data A5
data
fixed network of a
gPrs operator
Security in 2.5G Mobile Systems
GPRS-Kc GPRS-Kc
CIPHER CIPHER
ALGORITHM ALGORITHM
OUTPUT OUTPUT
SGSN/MS MS/SGSN
and 1,600 bytes. GPRS-Kc (64 bits) is the encryp- signaling exchange in GPRS is mainly based on
tion key generated by the GPRS authentication the signaling system 7 (SS7) technology (3GPP TS
procedure and is never transmitted over the radio 09.02, 2004), which does not support any security
interface. The input (INPUT) parameter (32 bits) measure for the GPRS deployment. Similarly, the
is used as an additional input so that each frame GTP protocol that is employed for communication
is ciphered with a different output string. This between GSNs does not support security. Thus,
parameter is calculated from the logical link con- user data and signaling information in the GPRS
trol (LLC) frame number, a frame counter, and a backbone network are conveyed in cleartext expos-
value supplied by the SGSN called the input offset ing them to various security threats. In addition,
value (IOV). The IOV is set up during the negotia- inter-network communications (between different
tion of LLC and layer 3 parameters. Finally, the operators) are based on the public Internet, which
directionbit(DIRECTION)specifieswhether the IP spoofing to any malicious third party
enables
output string is used for upstream or downstream who gets access to it. In the sequel, the security
communication. measures applied to the GPRS backbone network
After the initiation of ciphering, the sender (MS are presented.
or SGSN) processes (bit-wise XOR) the OUTPUT The responsibility for security protection of
string with the payload (PLAIN TEXT) to produce the GPRS backbone as well as inter-network com-
the CIPHERED TEXT, which is sent over the radio munications belongs to mobile operators. They
interface. In the receiving entity (SGSN or MS), utilize private IP addressing and network address
the original PLAIN TEXT is obtained by bit-wise translation (NAT) (Srisuresh & Holdrege, 1999) to
XORed the OUTPUT string with the CIPHERED restrict unauthorized access to the GPRS backbone.
TEXT. When the MS changes SGSN, the encryp- Theymayalsoapplyfirewallsatthebordersofthe
tion parameters (e.g., GPRS-Kc, INPUT) are GPRS backbone network in order to protect it from
transferred from the old SGSN to the new SGSN, unauthorized penetrations. Firewalls protect the
through the (inter) routing area update procedure network by enforcing security policies (e.g., user
in order to guarantee service continuity. trafficaddressedtoanetworkelementisdiscarde
Using security policies the GPRS operator may
gPrs backbone security ensurethatonlytrafficinitiatedfromtheMSand
notfromtheInternetshouldpassthroughafirewal
The GPRS backbone network includes the This isdonefortworeasons:to
fixed ) 1 ( restricttrafficin
network elements and their physical connections order to protect the MS and the network elements
that convey user data and signaling information. from external attacks; and (2) to protect the MS
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
inputs and produces a hash output of 12 bytes (96 the involved end users (humans) are not informed
bits)While
. theactualspecificationofwhether COMP182 their sessions are encrypted or not.
was never made public, the algorithm has been As encryption over the radio interface is op-
reverse engineered and cryptanalyzed (Barkan, tional, the network indicates to the MS whether
Biham, & Neller, 2003). Thus, knowing the secret and which type(s) of encryption it supports in
key, Ki, it is feasible for a third party to clone a the authentication request message, during the
GSM/GPRSSIM-card,sinceitsspecificationsGPRS are authentication procedure. If encryption is
widely available (ETSI TS 100 922, 1999). activated, the MS start ciphering after sending the
&helastweaknessoftheGPRSauthentication authentication response message and the SGSN
procedure is related to the network ability of re- starts ciphering/deciphering when it receives a
using authentication triplets. Each authentication valid authentication response message from the
triplet should be used only in one authentication MS. However, since these two messages are not
procedure in order to avoid man-in-the-middle protectedbyconfidentialityandintegrity - mecha
and replay attacks. However, this depends on the nisms (data integrity is not provided in the GPRS
mobile network operator (home and serving) and radio interface except for traditional non-crypto-
cannot be checked by mobile users. When the VLR graphic link layer checksums), an adversary may
of a serving network has used an authentication mediate in the exchange of authentication messages.
triplet to authenticate an MS, it shall delete the The results of this mediation might be either the
triplet or mark it as used. Thus, each time that the modificationofthenetworkandthe - MScapabili
VLR needs to use an authentication triplet, it shall ties regarding encryption, or the suppression of
use an unmarked one, in preference to a marked. encryption over the radio interface.
If there is no unmarked triplet, then the VLR shall
request fresh triplets from the home HLR. If fresh gPrs backbone
triplets cannot be obtained, because of a system
failure, the VLR may reuse a marked triplet. Thus, Based on the analysis of the GPRS security archi-
if a single triplet is compromised, a false BS can tecture (see the GPRS security architecture section)
impersonate a genuine GPRS network to the MS. it can be perceived that the GPRS security does
Moreover, as the false BS has the encryption key, not aim at the GPRS backbone and the wire-line
Kc, it will not be necessary for the false BS to connections, but merely at the radio access net-
suppress encryption on the air interface. As long work and the wireless path. Thus, user data and
as the genuine SGSN is using the compromised signaling information conveyed over the GPRS
authentication triplet, an attacker could also im- backbone may experience security threats, which
personate the MS and obtain session calls that are degrade the level of security supported by GPRS.
paid by the legitimate subscriber. In the following, the security weaknesses of the
GPRS security architecture that are related to the
data and signalling Protection GPRS backbone network for both signaling and
data plane are presented and analyzed.
An important weakness of the GPRS security
architecture is related to the fact that the encryp- Signaling Plane
tion of signalling and user data over the highly
exposed radio interface is not mandatory. Some As mentioned previously, the SS7 technology used
GPRS operators, in certain countries, never switch for signaling exchange in GPRS does not support
on encryption in their networks, since the legal security protection. Until recently, this was not
framework in these countries do not permit that. perceived to be a problem since SS7 networks
Hence,inthesecasessignalinganddata traffic
belonged toare
a small number of large institutions
conveyed in cleartext over the radio path. This situ- (telecom operator). However, the rapid deploy-
ation is becoming even more risky from the fact that ment of mobile systems and the liberalization of
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
0
Security in 2.5G Mobile Systems
the incorporation of the network domain security the realization of security attacks that threaten net-
(NDS) features (Xenakis, 2006; Xenakis & Mera- work operations and data transfer through it. These
kos, 2004) into the GPRS security architecture. weaknesses are related to: (1) the compromise of the
NDS features, which have been designed for the confidentialityofsubscriber’sidentity,sinceitm
latter version of UMTS, ensure that signaling ex- be conveyed unprotected over the radio interface;
changes in the backbone network as well as in the (2) the inability of the authentication mechanism to
whole wire-line network are protected. For signal- perform network authentication; (3) the possibil-
ing transmission in GPRS the SS7 and IP protocol ity of using COMP128 algorithm (which has been
architectures are employed, which incorporate the cryptoanalyzed) for A3 and A8 implementations;
mobile application part (MAP) (3GPP TS 09.02, (4) the ability of reusing authentication triplets;
2004) and the GTP protocol (3GPP TS 09.60, (5) the possibility of suppressing encryption over
2002), respectively. In NDS both architectures are the radio access network or modifying encryption
designed to be protected by standard procedures parameters; and (5) the lack of effective security
based on existing cryptographic techniques. Spe- measures that are able to protect signaling and
cifically,theIP-basedsignalingcommunications user data transferred over the GPRS backbone
will be protected at the network level by means network. To defeat some of these risks, a set of se-
of the well-known IPsec suite (Kent & Atkinson, curity improvements to the existing GPRS security
1998). On the other hand, the realization of pro- architecture may be incorporated. Additionally,
tection for the SS7-based communications will be some complementary security measures, which
accomplished at the application layer by employing have been originally designed for fixed network
specific security protocols (Xenakis & Merakos, and aim at enhancing the level of security that
2004). However, until now only the MAP protocol GPRS supports, may be applied.
from the SS7 architecture is designed to be pro-
tected by a new security protocol named MAPsec
(3GPP TS 33.200 2002). AcknowlEdgMEnt
Security in 2.5G Mobile Systems
Security in 2.5G Mobile Systems
Second Generation (2G): 2G is a short for sec- Subscriber Identity Module (SIM): SIM is a
ond-generation wireless telephone technology. removable smart card for mobile phones that stores
networkspecificinformationusedtoauthentica
Second and a Half Generation (2.5G): 2.5G
and identify subscribers on the network.
is used to describe 2G systems that have imple-
mented a packet-switched domain in addition to Temporary Mobile Subscriber Identity
the circuit-switched domain. (TMSI): TMSI is a randomly allocated number
that is given to the mobile the moment it is switched
Signaling System 7 (SS7): SS7 is a set of te-
on and serves as a temporary identity between the
lephony signaling protocols which are used to set
mobile and the network.
up the vast majority of the world’s public switched
telephone network telephone calls.
Chapter XXIII
End-to-End Security
Comparisons Between IEEE
802.16e and 3G Technologies
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
University of Waterloo, Canada
AbstrAct
Security measures of mobile infrastructures have always been important from the early days of the
creation of cellular networks. Nowadays, however, the traditional security schemes require a more
fundamental approach to cover the entire path from the mobile user to the server. This fundamental ap-
proach is so-called end-to-end (E2E) security coverage. The main focus of this chapter is to discuss such
architectures for IEEE 802.16e (Mobile-WiMAX) and major third generation(3G) cellular networks.
The E2E implementations usually contain a complete set of algorithms, protocol enhancements (mutual
identification, authentications, and authorization), including the very large-scale
implementations. This chapter discusses various proposals at the protocol level.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
The management of the sections is as fol- • Data integrity: This guarantees that the
lows: the next section will discuss details about data received has not been altered by an un-
the ultimate security features attributed to 3G authorized entity. One method of doing this
technologies. The GSM section will discuss the is through the application of a hash function
security weakness in GSM’s initial draft and the to the data stream
E2E solution to overcome its weakness. The fourth • Security between networks: Networks are
and fifth sections talk about GPRS and CDMA interconnected using secure wired links,
respectively. The Mobile-WiMAX section opens mainly using IPSec tunneling mechanism.
the discussion on 802.16e, the candidate for the • Secure international mobile subscriber
4G wireless systems, which contains the security identity (IMSI) usage: The first-time user
weakness of 802.16e’s initial draft and the E2E is assigned an initial IMSI number by the
solution. A thorough comparison and references home network.
will be given in the last two sections. • Stronger security scope: Security is based
within the radio network controller (RNC)
objEctIvEs of sEcurIty rather than the base station (BS). An RNC
fEAturEs for 3g/MobIlE-wIMAx is responsible for controlling and managing
the multiple BSs including the utilization of
Before discussing security weaknesses of indi- radio network services.
vidual G3 technologies, we briefly discuss the • User- and mobile-station authentication
objective of 3G security features. These features schemes: Both user and mobile station share
are (Campbell, Mckunas, Myagmar, Gupta, & a secret common key, which is called the PIN.
Briley, 2002): This is used for authentication.
• Secure services: These services protect
• Mutual authentication: Authentication is the infrastructure against usage and access
a method to verify that the claimed identity misuses.
of an entity is genuine. Authentication is • Security in applications: This is critical for
a fundamental security service and other mobile-based application security.
necessary services often depend on proper • Fraud detection: Mechanisms to detect and
authentication. Many protocols offer a one- combat fraud in roaming situations.
way authentication. That is, only the client • Flexibility: As technologies evolve, secu-
has to authenticate itself to the server and the rity features are extended and enhanced as
server is not required to authenticate itself to required by new services and threats.
the client. A one-way authentication is prone • Service availability and configurability:
to an attack, so-called; impersonation, in Users are to be notified whether security is
which an illegitimate entity could pose as a on and the available level of security.
legitimate one and start a new communica- • Multiple cipher and integrity algorithms:
tion with another legitimate entity or take The mobile user and the network negotiate
control an already started conversation. A and agree on the best available cipher and
two-way authentication scheme (mutual integrity algorithms (e.g., KASUMI).
authentication) resolves impersonation at- • Lawful interception: Mechanisms should be
tack. An E2E security scheme uses a bal- provided to authorize agencies with certain
anced mutual authentication technique. A necessary information about subscribers.
balanced technique requires equal effort by • GSM compatibility: GSM subscribers
both entities for authenticate themselves to should be able to roam in 3G networks and
other entities. This decreases the chance of cope with the extended security needed via
attacker’s success GSM security context.
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Figure 2: GSM authentication, cipher key generation, and encryption (Adapted from Pagliusi, 2002)
Figure 3. Authentication and encryption in GSM system (Adapted from Pagliusi, 2002)
In this section, the weaknesses associated to GSM Figure 1 shows the GSM system overview. The
security systems (Pagliusi, 2002) are discussed and principles behind GSM security scheme are:
the E2E security proposals are considered.
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
• Subscriberidentityconfidentialityscheme, cameraashbulb.
fl Thesetypesofattacksare
• Subscriber identity authentication scheme called optical fault induction. Another type
(Figure 2), of attack, which is performed on the execu-
• Stream ciphering of user traffic and user- tion of COMP128 table lookups is called
related control data schemes; and partitioning attacks.
• Using subscriber identity module (SIM) as a • False BS: GSM provides a unilateral authen-
security module scheme. tication (one-way). Because of the unbalanced
nature, this allows attacks (such as man-in-
Figure 2 shows the GSM authentication scheme the-middle (MITM) attack) where a malicious
in which three algorithms (A3, A5, and A8) are third party masquerades as a BS to one or
used for authentication, key generation, and encryp- more mobile stations.
tion. The detailed authentication and encryption
schemes for GSM are shown in Figure 3, where E2E scheme for gsM
A3 (authentication algorithm), A8 (stream cipher),
and A5 (key agreement algorithm) are performed The security concerns for GSM could be addressed
inthemobilestationandthekeyisverified in an E2Ein the There are two major concerns
fashion.
public land mobile network (PLMN). in the current GSM structure that prevent the
E2E communication, one is the fact that authen-
gsM security Attacks tication is one way (A3/A8) and the fact that data
is exposed and unprotected in certain areas. To
The security attacks associated to GSM architec- preventtheseaws fl andpavethepathtogoE2E,
ture are (Pagliusi, 2002): a strong user authentication along with complete
path encryption are proposed (Aydemir & Selcuk,
• SIM/Mobile Equipment (ME) interface: 2005; Mynttinen, 2000).
The SIM/ME interface is unprotected and can
be tapped using an unauthorized device. strong user Authentication
• Attacks on the algorithms A3/A8/(A5/1):
Both A3 and A8 heavily reply on the A strong authentication protocol is achieved
COMP128 authentication algorithm, which through user-based rather than device-based. The
have been cryptanalyzed allowing the recov- GSM authentication algorithm contains three fun-
ery of shared master key leading to device damental entities in a session (Pagliusi, 2002):
cloning. A5/1 has also been attacked by
Biryukov and Shamir (Pagliusi, 2002). • The mobile subscriber (MS)
• One-way authentication: A3 is a one way • The visiting location register (VLR)
operator-dependent stream-cipher function. • The home location register (HLR)
Therefore its functionality suffers from being
unbalanced The initial draft of GSM states for the authen-
• Unprotected signaling: Though nearly all tication scheme to use a cryptographic authentica-
communications between the MS and the tion key embedded in the SIM card of the device.
BSareencrypted,howeverinthe - fixed net the GSM user authentication protocol
Through
works and between GSM central networks, (GUAP) approach (Aydemir & Selcuk, 2005), the
all the communications and signaling are not user can authenticate himself/herself through a
protected as they are in plaintext most of the password instead of the embedded hard-coded
time key, which breaks the dependency of the SIM
• Attack on SIM card: Interruption could card during authentication. The GUAP is based
occur on the operation of the smart card’s on three entities and in many cases the third entity
microprocessor by exposing it to an electronic is a trusted server whose public key is known by
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Figure4.TheGUAPscheme(AdaptedfromAydemir&Selcuk,205)
1. MSWVLR:IMSI
2. VLRWMS:RAND
3. MSWVLR: {n1, n2, n3, {RAND}Π }K HLR, ra
4. VLRWHLR: {n1, n2, n3, {RAND}Π }K HLR, {RAND} KVLR
5. HLRWVLR: {k} KVLR , {n1, n2 ⊕ k}Π
6. VLRWMS: {n1, n2 ⊕ k}Π, {ra}k, rb
7. MSWVLR: {rb}k
all parties. GSM doesn't include synchronized mechanism, such as; TLS, can be used to provide
clocks, therefore authentication timestamps are the required protection. Therefore it is fair to say
not allowed. This can be remedied through the thattherequiredconfidentialityandintegrit
usage of random nonces. According to Figure 4, be guaranteed. However, non-repudiation prop-
through VLR, MS is being authenticated to HLR erty cannot be achieved using this solution. The
through the usage of the password. The HLR to this problem, a digital signature can be
remedy
public key, K HLR, is known to all parties, and KVLR used in the transaction data, which is able to sup-
is the symmetric encryption key shared among the port integrity and non-repudiation functions. All
VLR and the HLR. The GUAP protocol is being WAP clients need to have access to digital keys
depicted in Figure 4. for this to work.
In regards to GSM authentication, the GUAP's
main goal is to break SIM card's dependency for gPrs
addeduserexibility.
fl TheGUAP'sdesignincludes
considerations of the MS's computational restric- GPRS is a data-network-based architecture, which
tions. It also includes provisioning of the VLR is designed in such a way to integrate well with
authentication to both MS and HLR. existing GSM offering MSs “always connected”
packet-switched data services. This includes con-
E2E security of Mobile data in gsM nections to corporate networks and to the Internet.
Figure 5 shows a MS logically attached to a serv-
In this approach, the E2E security scheme of ing GPRS support node (SGSN) (“GPRS Security
mobile data in GSM is considered. It focuses on Threats and Solutions,” 2002).The SGSN's main
wireless application protocol (WAP) security, functionality is to provide data services to the MS.
which can be broken. The data path protection Through the GPRS tunneling protocol (GTP), the
in WAP is especially important for voice over SGSN can logically be connected to the gateway
IP (VoIP) applications. For this purpose, WAP GPRS support node (GGSN). The GTP provides
Transport Layer E2E Security is proposed. The logical connection among the roaming partners of
E2E security for WAP transport layer is a speci- SGSN and GGSN.
fication provided by WapForum for supporting GPRS was introduced as a packet service,
WAP E2E security by allowing the WAP clients to which provides E2E IP connectivity with similar
establish a straight wireless transport layer security security options as in GSM. GPRS uses the same
(WTLS) connection with the WAP-based gateway. A3/A8 algorithms, which is used in GSM but the
This gateway no longer encrypts and decrypts the randomization function is slightly different. The
trafficmeantforthecontent-provider' srd
three3 GPRS
party.encryption algorithms are GEA1,
Thus a malicious node is not able to cause prob- GEA2, and GEA3, which is A5/3.
lemsforthedata'sconfidentialityandintegrity.A
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
)LJXUH*356DUFKLWHFWXUH$GDSWHGIURP‡*3566HFXULW\7KUHDWVDQG6ROXWLRQV·
Security services provided by GPRS are protec- Before one can discuss the details about security,
tions against attacks and providing the following it is necessary to discuss the entities related in the
assurances: data path. There are two main interfaces used in
GPRS; Gp and Gi. Gp interface is a logical con-
• Integrity: Integrity is an assurance that data nection among PLMNs. The protocols that deal
is not altered in an unauthorized manner. directly with Gp are:
• &RQ¿GHQWLDOLW\ &RQ¿GHQWLDOLW\LVSURWHFWLQJ
data from disclosure to third parties. • GTP: The logical connection among the
• Authentication: Authentication provides roaming partners of SGSN and GGSN.
assurance that all communication parties are • Boarder gateway protocol (BGP): BGP
really the ones who they claim to be. provides routing for between interfaces.
• Authorization: Authorization is a service, • Dynamic name system (DNS): DNS is a
which ensures that only legitimate entities service that translates Internet domain names
are allowed to take part in any communica- and computer hostnames to IP addresses.
tions.
• Availability: Availability means that com- The GTP provides logical connection among
munication parties and data services are the roaming partners of SGSN and GGSN. If this
available and usable by any other parties in connection is within the same PLMN, this is called
wireless range. the Gn interface. If the connection is between
two different PLMNs, then it is known as the Gp
interface. The Gp and the Gi interfaces are the
initial and fundamental points of interconnection
Security in Mobile Ad Hoc Networks
cal architecture may not be suitable to MANETs information or evidence provided by peers, not
either, due to the rapid topology change of MANETs by trusted authorities or a central administration
and the high overhead introduced by organizing point (as in the Internet or wireless networks with
the hierarchy. base-stations). Additionally, the gathering of the
Sun, Wu, and Pooch (2003) propose a zone- trust evidence may be difficult due to the small
based IDS (ZBIDS). ZBIDS divides the network bandwidth, and therefore local information has to
into nonoverlapping zones. The nodes are cat- be relied on. Evaluation with uncertain and incom-
egorized into two types based on their locations plete trust evidence certainly poses challenges to
to a zone: intrazone nodes (within a zone and not trust management.
connected to nodes in another zone) and interzone Research progress has been made on au-
nodes (within a zone and connected to nodes in thentication and key management. But finding
another zone). Intrazone nodes are responsible cryptographic mechanisms that consume less
for local detection and broadcast in case of alerts. computational resources and impose lower time
Interzone nodes perform aggregation and correla- complexity is still a major research concern in
tion of these local detection results. The system can MANET security.
limit the detection cooperation in a zone, which AnotherproblemforMANETsecurityistofind
may reduce the overhead by the broadcast and ag- an effective and efficient approach intrusion for
gregation. However, the system requires that each response. Many publications simply mentioned
node know its physical location, which needs prior that proper actions should be taken to react to
design setup. The management of zones is not a intrusions, which may include alarming the other
trivial task either. nodes in the network, isolating the compromised
Intrusion detection has been a challenging task nodes, or re-establishing the trust relationship for
for MANETs, mainly due to the distribution na- the entire network. But the problem of how to locate
ture and resource constraints of ad hoc networks. and then isolate the compromised nodes is not dis-
To determine intrusions with local or incomplete cussed in details. The location and isolation could
information and with low overhead has been a be even more difficult when distributed attack
major concern for researchers. are launched from multiple sources. Eliminating
the compromised nodes by rekeying or rebuilding
the trust could be an effective solution. However,
oPEn cHAllEngEs And it is certainly not efficient taking into accou
conclusIon the computation and communication overhead it
may cause.
Some other unexplored research problems in-
challenges
clude the tradeoff between privacy (such as identity
anonymity and location privacy) and other security
The research in MANET security is still in its early
services (such as accounting and intrusion detec-
stage. Some areas that are interesting but little
tion), and the tradeoff between security strengths
explored include accounting, trust management,
and network performance.
authentication, and key management.
Yang et al. (2004) argue that MANET security
Accounting provides the method for collecting
needs a “multifence security solution,” namely re-
the information used for billing, auditing, and
siliency-oriented security design. They argue that
reporting. Accounting mechanisms can track the
the existing proposals are attack-oriented because
services that users are accessing as well as the
theprotocolstargetsomespecificattackthat
amount of network resources they are consuming.
beenidentifiedfirst.Theseprotocolsthereforema
Accounting is a challenging problem due to the
not work well in the presence of unanticipated
distributed and ephemeral nature of MANETs.
attacks. They propose that a security solution is
The characteristics of MANETs also bring
needed that can be embedded into every component
difficulty trust
to management. In MANETs,
or every layer in the network. The solution can
the trustworthiness is evaluated based on the
Security in Mobile Ad Hoc Networks
offer multiple lines of defense against many both International Workshop on Wireless Information
known and unknown security threats. Systems (WIS-2002) (pp. 1-12).
Besides problems described above, how to adapt
Anderegg, L., & Eidenbenz, S. (2003). Routing
the security mechanisms in a large-scale wireless
and forwarding: Ad hoc-VCG: A truthful and
network is also an interesting problem. The scal-
cost-efficient routing protocol for mobile ad hoc
ability of security mechanisms and the compro-
networks with selfish s. Inagent
Proceedings of
mise between security and network scalability
the th
9 Annual International Conference on Mobile
are certainly topics worth further research study.
Computing and Networking MobiCom ( San, ) 50
Diego, (pp. 245-259). ACM Press.
conclusion
Avantvalee, T., & Wu, J. (2006). A survey on in-
With the rapid proliferation of wireless networks trusion detection in mobile ad hoc networks. In Y.
and mobile computing applications, MANETs Xiao, X. Shen, & D. -Z. Du (Eds.), Wireless/mobile
have received increased attention. Security is an network security (pp. 170-196).
important feature for ad hoc networks, especially
Balfanz, D., Smetters, D.K., Stewart, P., & Wong,
inuntrustworthyenvironmentssuchasbattlefields.
H.C. (2002). Talking to strangers: Authentication in
Development of security solutions for ad hoc
ad-hoc wireless networks. Paper presented at the
networks has therefore become a major research
Symposium on Network and Distributed Systems
concern.
Security (NDSS ‘02), San Diego.
However, the characteristics of ad hoc networks
have not only introduced vulnerabilities to mali- Buchegger, S., & Boudec, J.L. (2001). Theselfish
cious attacks varying from passive eavesdropping node: Increasing routing security in mobile ad hoc
to active interfering, but also imposed networks difficulty
(IBM Research Report: RR 3354).
and challenges in introducing security features
to MANETs. Buchegger, S., & Boudec, J.L. (2002a) Nodes
This book chapter has discussed the security bearing grudges: Towards routing security, fair-
vulnerabilities, challenges, and security solu- ness, and robustness in mobile ad hoc networks. In
tions for MANETs. A variety of attacks and their Proceedings of the Tenth Euromicro Workshop on
countermeasureshavebeenidentified Parallel,
fordifferent Distributed and Network-based Process-
network operations, mechanisms, and network lay- ing, Canary Islands, Spain, (pp. 403-410). IEEE
ers. Existing research efforts as well as the open Computer Society.
challenges were discussed in the chapter. Buchegger, S., & Boudec, J.L. (2002b). Performance
analysis of the CONFIDANT protocol: Cooperation
of nodes - fairness in dynamic ad-hoc networks. In
rEfErEncEs Proceedings of IEEE/ACM Symposium on Mobile
Ad Hoc Networking and Computing (MobiHoc),
Lausanne, CH, (pp. 226-236). ACM Press.
Aad, I., Hubaux, J.-P., & Knightly, E.W. (2004).
Denial of service resilience in ad hoc networks. In Buttyán, L., & Hubaux, J.P.- .)02 ( Enforcing
Proceedings of the ACM International Conference service availability in mobile ad-hoc WANs.
on Mobile Computing and Networking (MobiCom In Proceedings of Workshop on Mobile Ad-hoc
2004), Philadelphia, (pp. 202-215). networking and Computing (MobiHOC), Boston,
(pp.. )69- 78
Albers, P., Camp, O., Percher, J., Jouga, B., Me, L.,
& Puttini, R. (2002). Security in ad hoc networks: A Buttyán, L., & Hubaux, J.P.- .)Stimulating
30 2 (
general intrusion detection architecture enhancing cooperation in self-organizing mobile ad hoc
trust based approaches. In Proceedings of the 1st networks. Mobile Networks and Applications,
8(5), 579-592.
Security in Mobile Ad Hoc Networks
Cagalj, M., Ganeriwal, S., Aad, I., & Hubaux, J.-P. Hu, Y.C., Perrig, A., & Johnson, D. (2003b). Rush-
(2004). On cheating in CSMA/CA ad hoc networks ing attacks and defense in wireless ad hoc network
(Tech. Rep. IC/2004/27, EPFL-DI-ICA). Lausanne, routing protocols. In Proceedings of ACM WiSe
Switzerland: Swiss Federal Institute of Technol- 2003, San Diego, (pp. 30-40). ACM Press.
ogy Lausanne.
IEEE. (1999). Standard for wireless LAN-medium
Capkun, S., Buttyan, L., & Hubaux, J.-P. (2003). access control and physical layer specification,
Self-organized public-key management for mobile P802.11.
ad hoc networks. IEEE Transactions on Mobile
Jha, S., Tan, K., & Maxion, R. (2001). Markov
Computing, 2(1), 52-64.
chains, classifiers, and intrusion detection. I
Chan, A.C.-F. (2004). Distributed symmetric Proceedings of the 14th IEEE Computer Security
key management for mobile ad hoc networks. In Foundations Workshop, Cape Breton, Nova Scotia,
Proceedings of the 23rd Annual Joint Confer- Canada, (pp. 206-219).
ence of the IEEE Computer and Communications
Johnson, D.B., Maltz, D.A., & Hu, Y. (2004). The
Societies (INFOCOM), Hong Kong, China, (pp.
dynamic source routing protocol for mobile ad hoc
2414-2424). IEEE.
networks (DSR). INTERNET DRAFT, MANET
Crepeau,C.,&Davis,C.R..A) 302 ( certificate working group. Retrieved November 17th, 2006,
revocation scheme for wireless ad hoc networks. from http://www.ietf.org/internet-drafts/draft-ietf-
In Proceedings of the 1st ACM Workshop Security manet-dsr-10.txt
of Ad Hoc and Sensor Networks, Fairfax, Virginia,
Jones, A. (2000). Game theory: Mathematical
(pp. 54-61). ACM Press.
models of conflict(pp. 210-236). Horwood Pub-
Gupta, V., Krishnamurthy, S., & Faloutsos, M. lishing.
(2002). Denial of service attacks at the MAC layer
Kachirski, O., & Guha, R. (2003). Effective intru-
in wireless ad hoc networks. In Proceedings of
sion detection using multiple sensors in wireless ad
MILCOM.
hoc networks. In Proceedingsofthe6th 3 Annual
Hu, Y.C., Johnson, D., & Perrig, A. (2002). SEAD: Hawaii International Conference on System Sci-
Secureefficientdistancevectorrouting encesfor mobile(pp. 57.1-57.8). IEEE.
(HICSS’03)
wireless ad hoc networks. In Proceedings of the
Kong, J., Zerfos, P., Luo, H., Lu, S., & Zhang, L.
4th IEEE Workshop on Mobile Computing Systems
(2001). Providing robust and ubiquitous security
and Applications (WMCSA ’02), Callicoon, New
support for mobile ad hoc networks. In Proceedings
York, (pp. 3-13).
of the th9 International Conference on Network
Hu, Y.C., Perrig, A., & Johnson, D. (2002). Ari- Protocols (ICNP) (pp. 251 - 260). ACM Press.
adne: A secure on-demand routing protocol for
Konorski, J. (2001). Protection of fairness for
ad hoc networks. In Proceedings of the 8th ACM
multimedia traffic streams in a non-cooperative
International Conference on Mobile Computing
wireless LAN setting. Paper presented at PROMS
and Networking (MobiCom), Atlanta, Georgia,
(LNCS 2213, pp. 116-129). Springer.
(pp. 12-23). ACM Press.
Konorski, J. (2002). Multiple access in ad-hoc wire-
Hu, Y.C., Perrig, A., & Johnson, D. (2003a). Packet
less LANs with noncooperative stations. Network-
leashes: A defense against wormhole attacks in
ing (LNCS 2345, pp. 1141-1146). Springer.
wireless ad hoc networks. In Proceedings of the
Twenty-Second Annual Joint Conference of the Kyasanur, P., & Vaidya, N.H. 20.5)( Selfish
IEEE Computer and Communications Societies MAC layer misbehavior in wireless networks.
(INFOCOM 2003) (pp. 1976-1986). IEEE. IEEE Transactions on Mobile Computing, 4(5),
502-516.
Security in Mobile Ad Hoc Networks
Lu, B., & Pooch, U.W. (2005). A lightweight au- Distributed Systems Modeling and Simulation
thentication protocol for mobile ad hoc networks. Conference (CNDS 2002), San Antonio, TX.
In Proceedings of the International Conference
Perkins, C.E. (Ed.). (2001). Ad hoc networks. Upper
on Information Technology: Coding and Comput-
Saddle River, NJ: Addison-Wesley.
ing (ITCC’0, ) 5 Las Vegas, (pp. 546-551). ACM
Press. Perkins, C.E., Belding-Royer, E.M., & Das, S.R.
(2003). Ad hoc on-demand distance vector (AODV)
Mackenzie, A.B., & Wicker, S.B. (2000). Game
routing. InternetrequestforcommentsRFC. 1 6 5 3
theory and the design of self-configuring, - adap
Retrieved November 17th, 2006, from http://www.
tive wireless networks. IEEE Communications
ietf.org/rfc/rfc3561.txt.
Magazine,93 (11), 126-131.
Perkins, C.E., & Bhagwat, P. (1994). Highly dynam-
Mackenzie, A.B., & Wicker, S.B. (2003). Stability
ic destination-sequenced distance-vector routing
ofmultipacketslottedalohawithselfishusersand
(DSDV)formobilecomputers. Paper presented at
perfect information. In Proceedings of Infocom
the ACM Conference on Communications Architec-
2003, San Francisco, (pp. 1583 -1590). IEEE.
tures, Protocols and Applications (SIGCOMM ‘94)
Macker, J., & Chakeres, I. (2006). Mobile ad-hoc London, (pp. 234-244). ACM Press.
networks (MANET). Retrieved November 17th,
Perrig, A., Canetti, R., Song, D., & Tygar, D.
2006, from http://www.ietf.org/html.charters/ma-
Efficient
. ) 1 02 ( andsecuresourceauthentication
net-charter.html
for multicast. In Proceedings of Network and Dis-
Marti, S., Giuli, T., Lai, K., & Baker, M. (2000). tributed System Security Symposium (NDSS’01),
Mitigating routing misbehavior in mobile ad hoc San Diego, CA, (pp. 35-46).
networks. In Proceedings of the 6th ACM-Inter
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2000)
national Conference on Mobile Computing and
Efficient authentication and signing of multicas
Networking MobiHoc’0
( , ) 5Urbana Champaign,
streams over lossy channels. In Proceedings of
IL, (pp. 255- 265). ACM Press.
IEEE Symposium on Security and Privacy, Berke-
Michiardi, P., & Molva, R. (2002a). CORE: A ley, CA, (pp. 56-73). IEEE
collaborative reputation mechanism to enforce
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2002,
node cooperation in mobile ad hoc networks.
Summer). The TESLA broadcast authentication
Paper presented at the Sixth IFIP Conference on
protocol. RSACryptoBytes, 5
, 2-13.
Security Communications, and Multimedia (CMS
2002), Portoroz, Slovenia. Radosavac, S., Baras, J.S., & Koutsopoulos, I.
(2005). A framework for MAC protocol misbehav-
Michiardi, P., & Molva, R. (2002b). Game theoretic
ior detection in wireless networks. Paper presented
analysis of security in mobile ad hoc networks
at the Wireless Security Workshop (WiSe ‘05),
(Tech. Rep. RR-02-070). Institut Eurecom.
Cologne, Germany, (pp. 33-42).
Mohan, M., & Joiner, L.L. (2004). Solving bill-
Radosavac, S., Cardenas, A., Baras, J.S., &
ing issues in ad hoc networks. In Proceedings of
Moustakides, G. (2006). Detecting IEEE 802.11
ACMSE ’04, Huntsville, AL, (pp. 31-36). ACM
MAC layer misbehavior in ad hoc networks: Ro-
Press.
bust strategies against individual and colluding
Nash, J. (1950). The bargaining problem. Econo- attacker. Journal of Computer Security: Special
metrica, 18, 155-162. The Econometric Society. Issue on Security of Ad Hoc and Sensor Networks
5 1 (2007), 103-128.
Papadimitratos, P., & Haas, Z.J. (2002). Secure
routing for mobile ad hoc networks. Paper pre- Raya, M., Hubaux, J.-P., & Aad, I. (2004). DOM-
sented at the SCS Communication Networks and INO: A system to detect greedy behavior in IEEE
Security in Mobile Ad Hoc Networks
802.11hotspots. In Proceedings of the Second (WiSe ) 30‘ in conjunction with the th 9 Annual
International Conference on Mobile Systems, Ap- International Conference on Mobile Computing
plications, and Services (MobiSys ‘04), Boston, and Networking (MobiCom ‘03), San Diego, (pp.
MA, (pp. 84-97). 69-78). ACM Press.
Rivest, R.L., Adleman, L., & Dertouzos, M.L. Venkatraman, L., & Agrawal, D. (2000). A novel
(1978). On data banks and privacy homomorphisms authentication scheme for ad hoc networks. Paper
(pp. 169-179). Foundations of secure computation. presented at the IEEE Wireless Communications
Academic Press. and Networking Conference (WCNC 2000), Chi-
cago, IL, (Vol. 3, pp. 1268-1273). IEEE.
Salem, N.B., Buttyan, L., Hubaux, J.-P., & Ja-
kobsson, M. (2003). A charging and rewarding Weimerskirch, A., & Thonet, G. (2001). A distrib-
scheme for packet forwarding in multi-hop cel- uted light-weight authentication model for ad-hoc
lular networks. In Proceedings of MobiHoc’03, networks. In Proceedings of 4th International
Annapolis, MD, (pp. 13-24). ACM Press. Conference on Information Security and Cryp-
tology (ICISC 2001), Seoul, Korea, (pp. 341-354).
Sanzgiri, K., Dahill, B., Levine, B.N., Shields, C.,
ACM Press.
& Royer, E.M. (2002). A secure routing protocol for
ad hoc networks. In Proceedings of the 10th IEEE Xu, W., Trappe, W., Zhang, Y., & Wood, T. (2005).
International Conference on Network Protocols The feasibility of launching and detecting jamming
(ICNP’02), Paris, (pp. 78-87). IEEE. attacks in wireless networks. In Proceedings of the
Sixth ACM International Symposium on Mobile Ad
Song, N., Qian, L., & Li, X. .)052 ( Wormhole
HocNetworkingandComputingMobiHoc ( , ) 5 0‘
attacks detection in wireless ad hoc networks: A
Urbana Champaign, IL, (pp. 48-57). ACM Press.
statistical analysis approach. In Proceedings of
th
91 IEEEInternationalParallelandDistributed Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
ProcessingSymposium(IPDPS, ) 50‘ Denver, CO, Security in mobile ad hoc networks: Challenges
(pp. 289-296). and solutions. IEEE Wireless Communications,
11(1), 38-47.
Srinivasan, V., Nuggehalli, P., Chiasserini, C.F., &
Rao, R.R. (2003). Cooperation in wireless ad hoc Zapata, M.G. (2006). Secure ad hoc on-demand
networks. In Proceedings of IEEE INFOCOM, distance vector (SAODV) routing. INTERNET
San Francisco, (pp. 808-817). DRAFT, MANET working group. Retrieved De-
cember 12th, 2006, from http://www.ietf.org/inter-
Stajano, F., & Anderson, R.J. (1999). The resur-
net-drafts/draft-guerrero-manet-saodv-06.txt.
recting duckling: Security issues for ad-hoc wire-
less networks. In B. Christiano, B. Crispo, & M. Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Roe (Eds.), Security Protocols, 7th International detection techniques for mobile wireless networks.
Workshop Proceedings (LNCS, vol. 1796, pp. Wireless Networks JournalACM ( WINET)
(5),, 9
172-194). 545-556. ACM/Kluwer Press.
Sterne, D., Balasubramanyam, P., Carman, D., Zhong, S., Chen, J., & Yang, Y.R. (2003). Sprite: A
Wilson, B., Talpade, R., Ko, C., et al. (2005). A simple, cheat-proof, credit-based system for mobile
general cooperative intrusion detection architec- ad-hoc networks. In Proceedings of IEEE Infocom,
ture for MANETs. In Proceedings of the 3rd IEEE San Francisco, (pp. 1987-1997). IEEE.
International Workshop on Information Assurance
Zhou, L., & Haas, Z. (1999). Securing ad hoc
(IWIA, ) 50‘ Oahu, HI, (pp. 57-70).
networks. IEEENetwork,6 (13), 24-30.
Sun, B., Wu, K., & Pooch, U.W. (2003). Alert aggre-
Zhu, S., Xu, S., Setia, S., & Jajodia, S. (2003).
gation in mobile ad hoc networks. In Proceedings
LHAP: A lightweight hop-by-hop authentication
of the 2003 ACM Workshop on Wireless Security
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
protection and MITM attack. This requires additional security features for
enabling encryption and utilizing PKM EAP performance related issues (fast
messagesforuserauthentication.Tofixthe roaming, etc).
previous problems, PKM messages should The current security models and
be bi-directional and EAP messages should solutions are not able to fully utilize
use a four-way handshaking scheme the core network AAA infra
• Weakness in the X.509 certificates: X.509 structures due to the very low PKI
certificatehasthefollowingissues: support.
A single X.509 credential has
Is restricted to certain business model limitations. To overcome this, it's
and flexibility is a major issue. recommendedtouseaexible fl
Does not support user-based identity protocol, such as EAP, which
authentication, due to the fact that supports multiple user credentials.
devices and services are greatly A scalable security solution is
coupled, and required to be deployed into the
Trusting acertificateauthorityCA) ( existing architecture and infrastruc-
could become a source of a new ture for 802.16e requirements.
attack.
• Poor IV construction: Initialization vectors E2E security Architecture
(IVs) often use similar and repetitive struc-
tures.Throughtrafficpatternanalysis, Figure 10IVs conceptually displays a client-server-
can easily be known and broken. to remedy based (i.e., VoIP) E2E AAA on 802.16 networks
this, more complex IV structures with high offering portability and fully mobile operations.
key-bits (at least 128-bites) is the remedy to The architecture is built around the three-party
this problem. protocol (PKM v2,) as defined in6e 1 2.08 Agis
(
• 802.16 key exchange issues: A 2-key 3DES et al., 2004).
based key wrap is currently the standard of Figure 10 shows that the over-the-air security
the initial draft for TEK exchange, which is association (authentication and encryption) is es-
not as strong (82bits) as the TEK keys (128 tablished through the PKM-EAP protocol. This is a
bits) it carries. There should be a mechanism complete client/server architecture, where EAP car-
to ensure that TEKs do not repeat for frequent ries the AAA backend connectivity using Radius
exchange of TEKs. This could suffer from or Diameter. EAP offers a strong support for key-
replay attacks, since there is no liveliness in driven cipher mechanisms (i.e., EAP-MSCHAPv2
the key exchange protocol and it also suffers and EAP-AKA). It is also recommended to use an
from MITM attacks. Adding EAP-TLS au- E2E tunneling protocol such as protected EAP
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Figure10.826E2Esecurityframework
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
End-to-End Security Comparisons Between IEEE 802.16e and 3G Technologies
Pairwise Master Key (PMK): PMK is used in Virtual Private Network (VPN): VPN is a
peer-to-peer communication schemes for sharing a communications tunnel uses a pre-existing (and
master key that would last the entire session. This often unsecure, such as the Internet) network to
is mainly used for data encryption and integrity. connect a remote user to a corporate network. The
information is tunneled, encapsulated, and en-
Privacy Key Management (PKM): PKM is
crypted when passes through the unsecure network.
a private key scheme used with EAP and TLS
Once the information reaches the destination, it is
for providing E2E security schemes for wireless
decapsulated and decrypted.
technologies.
Worldwide Interoperability for Microwave
Third and Fourth Generation (3G/4G):
Access (WiMAX): WiMAX, which has been
3G/4G cellular networks are used in the context of
defined by the WiMAX Forum, formed in. 1 02
mobile standards. The services associated with 3G
WiMAX is also known as IEEE 802.16 standard,
are capable of transferring both voice and non-voice
officiallytitled;WirelessMANandisanalternativ
datasimultaneously.Thoughnotofficialyet,theG,4
to DSL (802.16d) and cellular access (802.16e).
however, will be fully IP-based converging wired
and wireless access technologies. It is expected to
reach bandwidth within a few hundred mega bit EndnotE
persecondofferingE2EQoS. 1
1
Transport Layer Security (TLS): TLS is used Kim, Y. K., & Prasad, R. 4G roadmap and
mostly in client/server applications, which require emerging communication technologies.
endpoint authentication and communications pri- Artech House.
vacy, particularly over the Internet. This is mostly
done using cryptographic measures.
Chapter XXIV
Generic Application Security in
Current and Future Networks
Silke Holtmanns
Nokia Research Center, Finland
Pekka Laitinen
Nokia Research Center, Finland
AbstrAct
This chapter outlines how cellular authentication can be utilized for generic application security. It
describes the basic concept of the generic bootstrapping architecture (GBA) that was
3rd generation partnership project (3GPP) for current networks and outlines the latest developments
for future networks.The chapter will provide an overview of the latest technology trends in the area of
generic application security.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Generic Application Security in Current and Future Networks
0
Generic Application Security in Current and Future Networks
any kind of service and obtain revenue. The considered, that is, why spend a lot of money, if it
availability and reliability requirements for will not be used. This subsection describes how
mobile network nodes are very high. application security is often managed today and
• Scalability: Scalability of mobile networks how it was managed in the past and what are the
security solutions is a critical factor. Solu- problems related to it:
tions are standardized on a global level, for
example, for small local operators, as well • Voice: The terminal authenticates to the
as for large international operators. Hence, network utilizing a shared secret stored in
solutions have to work also for millions of the smart card and the operator’s subscriber
people at the same time and it must be possible database. For application security needs, the
to extend them gradually depending on the authentication vectors (AVs) are distributed
growing subscriber basis. Usage scenarios to the corresponding nodes.
and scalability requirements, where a whole • Early IP multimedia subsystem security
full soccer arena at once requests one service (IMS): The 3GPP early IMS security solu-
server and still the service should work and tion of Release 6 (3GPP, TR33.978, Release
start on time, are not unusual. 6) uses IP address binding, that is, the IP ad-
• Convergence: For operators that run both dress assigned by the gateway GPRS support
fixedandmobilenetworkstheissue - ofcon
node (GGSN) is used for subsequent user
vergence gains importance, since it allows a authentication to the IMS service.
moreexible
fl re-useofthenetworkbackend • IMS: The IMS security is bound to the cre-
servers and functions. dentials of the IMS SIM (ISIM) application on
Whenthefirstmobileapplicationsstarted after
the universal integrated circuit card (UICC)
voice and SMS the requirements for a more generic smart card and these credentials are used by
application security were not clear. This resulted the mobile terminal for authentication to the
in a fast to roll-out, but with less generic approach IMS network. This is outlined by 3GPP (TS
as will be explained next. 33.203,Release 6). The user authentication
is delegated from the operator’s subscriber
Historic Approaches to Application database towards the IMS network (i.e., the
security serving call-session-control-function [S-
CSCF]).
Application nodes in mobile networks in the past
tend to have a monolithic security solution that is The first mobile application was voice and
highly customized to the individual application. few people envisioned the further usage mobile
This has to do with the fact, that operators like to networks would get and were surprised by the
buy their equipment from various vendors, and popularity of SMS. 3GPP IMS with its wide range
re-usage and extensions of existing infrastructure ofservicepossibilitieshassecurity - wisetwoa
fl
requires standardized interfaces. This standard- vors: (1) IP address binding, which comes quite
ization takes quite some time and that backward inexpensive to mobile operators, and (2) the full
compatibility and integration with the existing IMS security, which requires that the subscriber
nodes is a big challenge. Another argument for is equipped with a new smart card that contains
having customized security solution was that an ISIM application on it. The early IMS security
there were not that many new applications were solution has its cost-wise advantages and allows
not expected to come with a fast pace. For applica- a roll-out and provisioning of the service also to
tion security the return of investment was also an subscribers with “old” smart cards, but the usage
important consideration. The systemofhad monolithic
first to and application specific security
attract some subscribers and be accepted, before solutions cause some problems. Additionally, the
an expensive security solution of higher quality is direct usage of AVs in applications causes some
Generic Application Security in Current and Future Networks
Generic Application Security in Current and Future Networks
HSS
NAF
Client Ua: Application
protocol
User Equipment
UE can authenticate with the network using cellular including the counterpart of the credentials (i.e.,
second generation (2G) or 3G-based authentication master key) stored in the smart card that is handed
protocols. The intention is to reuse the authentica- out to the user and resides in the mobile terminal.
tion mechanism for the application communication This database provides the basic key material
security. Hence, we have a security module (see (i.e., authentication vector) to the BSF that is un-
Figure 1) that communicates with the smart card der mobile network operator control. This server
and the so-called bootstrapping server function can be seen as a credential server. Once the user
(BSF). Then there is the actual client application is properly authenticated the BSF generates the
(NAF client) that communicates with the applica- applicationspecifickeyswhicharehandedoutto
tion server (NAF server) in the network, and uses the application server, that is, the NAF.
theapplicationspecifickeys. The GBA system entities need to interact
The smart card. 3GPP Release 6 and Release with each other to provision the application in the
7 GBA assume the existence of a UICC. The UICC terminal and the application server with a shared
contains an ISIM and/or USIM application. If the secret that can then be utilized for various security
operator wishes that the application is really closely purposes:
bound with the smart card, then he/she can utilize
the so-called GBA aware smart card (GBA_U), • Bootstrapping interface (Ub): The mobile
wheretheapplicationspecifickeygeneration and
terminal contacts the BSF and authenticates
part of the storage is performed in the UICC. GBA via authentication and key agreement (AKA)
can be used also with SIM cards. This 2G GBA and triggers the key generation in the BSF.
was introduced in Release 7 in the 3GPP techni- This interface is called Ub interface and
cal report (3GPP TR 33.920, Release 7) due to the defined in theGPP 3 technical specification
large market need to allow operators to utilize the (3GPP TS 24.109, Release 6).
existing smart card infrastructure without being • Credential fetching interface (Zh): The
forced to hand out immediately new smart cards applicationspecificcredentialsarebasedo
to the user to use GBA-based services. the mobile credentials stored in the subscriber
The network. The heart of the network is the database HSS of the operator. Therefore the
operators subscriber database the HSS, respec- BSF needs to obtain the AV to be able to
tively the HLR with accompanied AuC. This establish an authentication session between
huge database is used to store the subscriber data the mobile terminal and the BSF and derive
Generic Application Security in Current and Future Networks
furtherapplicationspecifickeys.Also, 1. some
The user wishes to use a service. The applica-
operator policies in the form of GBA user tion server wishes to utilize GBA to secure
security settings (GUSS) can be stored in the the communication to the terminal. Hence,
HSS and passed to the BSF over this interface. the terminal is requested to use GBA. This
The GUSS can contain application specific information (i.e., whether GBA needs to be
USSsandadditionallyBSF-specificguidance used)canbepre-configuredtotheNAFclient,
information,likeuser-specifickeylifetimes, or the application server may indicate over
and UICC type of the user. The credential in- Ua interface that GBA should be used.
terfaceisdefinedasZhinterfaceand 2. specified
The NAF client triggers the security module
intheGPP 3 technicalspecificationGPP 3 ( TS in the terminal to bootstrap with the BSF
29.109, Release 6). This interface is opera- utilizing AKA over the Ub bootstrapping
torinternalandspecifiedasbeingDiameter interface.
based (Calhoun, Loughney, Guttman, Zorn, 3. The BSF then utilizes the Zh interface to
& Arkko, 2003) by the Internet Engineering fetch the needed data for the creation of the
Task Force (IETF), but since many operators master session key. The BSF derives the
have highly customized HLR/HSS it can be master session key. Based on this master
expectedthatoperator-specificadjustments session key NAF specific application keys
will be made (but likely not standardized). are derived when a specific NAF requests
• Key distribution interface (Zn): The appli- it over Zn interface later on. (Depending on
cation server has a library or a “plug-in” that the GBA type used, one or two application
requeststheapplication-specificcredentials, specifickeysarederived.)
credential-related data, and USS from the 4. The resulting master session key and transac-
credential server (BSF). This key distribu- tion ID are stored in BSF server. The security
tion interface in 3GPP Release 6 Diameter module in terminal also derives the master
based and called Zn interface. In Release 7, session key by contacting the smart card.
analternativemethodwasspecified - tosup
The master session key and the transaction
port Web services (WS)-based protocol as ID are stored in the security module. Note,
this makes it easier for application developers that here are small differences between the
to communicate with the credential server. different GBA types. Based on this master
Both implementations of the Zn interface are session key, NAF-specific application keys
defined in theGPP 3 technical specification are derived. The application-specific key is
(3GPP TS 29.109, Release 7). handed out to the NAF client application in
• Application interface (Ua): The applica- the terminal as response to the initial trigger
tion-specificinterfaceiscalledUainterface madeinstepThe 2. application-specifickey
andspecifiedinGPP 3 ( TS The
. 0 2 6 ) , 09 1 . 4 2 is used to secure the communication with the
details of the actual protocol used in the Ua application server.
interface depend on the actual use case, for 5. The NAF client in the terminal sends transac-
example, browsing, streaming, and so forth. tionidentifiertoNAFserverintheapplicatio
Thederivedapplication-specificcredentials server over Ua application interface. This
will be used to secure the communication of transaction ID is needed, so that the NAF can
this interface, how this is done, is application contact the BSF and fetch the correct keys.
specificanddefinedintheapplication- 6. specific
The NAF server in the application server
specifications,forexample, 3GPP multimedia contacts the BSF to obtain the application-
broadcast/multicast service (MBMS) techni- specificsessionkeysfromBSFusing - trans
cal specificationGPP 3 ( TS,46.2 3Release action identifier over Zn key distribution
6). interface.
Theactualapplication-specifickeygeneration 7. The NAF server in the application server
consists of the following basic steps: and the client in the terminal now share
Generic Application Security in Current and Future Networks
Figure 2. HTTP based service request using GBA_ME (and GBA-unaware USIM)
Generic Application Security in Current and Future Networks
RAND, AUTN
Bo
Bootstrapping challenge (RAND, AUTN)
o t st
RES
r ap p
ing
Bootstrapping response (RES used as passw ord)
NAF_ID, IMPI
Ks_ext_NAF
B-TID, Ks_ext_NAF, key lifetime
HTTP request that utilizes Ks_ext_NAF as outlined by application specification e.g. MBMS, HTPPS, etc)
B-TID, NAF_ID, GBA_U_flag, [GSID*]
Secured Data
Communication secured w ith Ks_int_NAF
the OMA broadcast (BCAST) smart card In all, these three bootstrapping types have in
profile. common the basic steps outlined previously, and
• 2G GBA: The 2G GBA or legacy GBA is a only the key generation and storage varies slightly.
recentGPP 3 GBAfeatureanddefinedin Forthe
the application server the usage of GBA_ME
technical report (3GPP TR 33.920, 2006) as an and 2G GBA is transparent. The convergence of
early implementation feature for Release 7. It fixed and mobile networks is, at the time of this
outlines the usage of the SIM card for GBA. writing, raising new GBA variants that will be dis-
It should be noted, that it does not describe cussed later in this chapter under Future Trends.
the usage of a legacy network nodes with The specification family related to GBA has
GBA. The large deployment range of SIM grown substantially due to new application re-
cards created the need for a GBA credential quirements, further use cases, and new security
generation solution that is based on legacy enablers that were added. This will be outlined
SIM cards and does not require immediate in the next section. The GBA can also be utilized
handing out of new UICC smart cards to to provision a user with a subscriber certificat
the used. To obtain a similar security level and also trusted root certificate provisionin
than GBA_ME, the BSF node in the net- public key infrastructure (PKI) systems. These
work is authenticated via a transport layer are outlined in the GPP 3 technical specification
security (TLS) tunnel. The key derivation (3GGP TS 33.221, Release 6).
differs slightly, but the key usage is similar The term GBA refers typically to the core of
to GBA_ME. Figure 4 outlines the message GBA, where a master key is established between
ow
fl forG2 GBA. the mobile terminal (UE), and the network (BSF).
The notation for the Figures 2, 3, and 4 is that Generic authentication architecture (GAA) on the
the * denotes an optional element. other hand refers typically to the actual usage of
the service specific keys that have been derived
Generic Application Security in Current and Future Networks
RAND
Bo o t st
Bootstrapping challenge (RAND, AUTN)
r ap p
Kc, RES
ing
Bootstrapping response (RES used as passw ord)
Figure5.Genericauthentication/bootstrappingarchitecture
gbA gAA
HSS
HSS
User
User NAF
Equipm
Equipment
Client
ent Client Ua: Application
(UE)
(UE) Protocol
Generic Application Security in Current and Future Networks
from the master key. Thus, GBA refers to the core Mobile networks Applications using
functionality and GAA to the actual usage of GBA gbA
in use cases, as depicted in Figure 5, but often it is
not necessary to differentiate strictly. GBA was initiated by GPP; 3 hence the first - ap
GAA and GBA are not only evolving in 3GPP, plications that utilize GBA were also from 3GPP
but also in the American counterpart standardiza- in their Release 6 and . 7 The first service to
tion organization the 3GPP2 (http://www.3gpp2. mandate the usage of GBA is the 3GPP mobile
org/). 3GPP2 utilizes the removable user identity broadcast/multicast service (MBMS) (3GPP TS
module (R-UIM) as a security baseline for their 33.246, Release 6). The broadcast scenario poses
dialect of GBA. 3GPP2 GBA supports the 3GPP2 some very special requirements on a key derivation
legacy algorithms Cellular Authentication and and management system, that is, a content provider
Voice Encryption (CAVE) algorithm, which is used specific key that can be linked to a mobile user
in the American CDMA1x, standard and challenge identity stored on the smart card, protection of the
handshake authentication protocol (CHAP), which contentprotectionkeys(keyconfidentialityduri
is used in American code division multiple access transport), and the baseline security key should
(CDMA) 1xEvDo (evolution data only), but also not be transported over the air. This resulted in
AKA for the user authentication. For further de- the fact that MBMS has a quite sophisticated four
tails on 3GPP2 GBA, please consult the relevant layer key hierarchy, where the user-specific keys
specificationGPP2 3 ( TSS.S009-.,26)1 are established using GBA.
Another use case is general authenticated Web
browsing. A user browses to a Web page that needs
APPlIcAtIon sEcurIty bAsEd on authentication. This is a quite common occurrence
tHE gEnErIc bootstrAPPIng in the Internet and there a user typically then has
ArcHItEcturE to provide a username/password combination. In-
serting a password on a mobile key pad is not very
In the beginning, GBA was developed to securely user friendly and would likely result in non-secure
providetheuserwithsubscribercertificates passwords, that where
is, without special characters, very
the initial registration of the user to public key short, no upper/lower case combinations. Many
interface (PKI) system is authenticated using security solutions ignore the usability aspect and
cellular authentication. The function to provide try to force the user, which usually results in more
anapplication-specificsharedsecretorbased onthepassword recovery systems. In
less expensive
mobile credentials to a terminal and a network the mobile environment, with a small key pad,
node evolved to a generic enabler for many use inserting long, secure passwords with special
cases and service. In this context, terminal refers characters is not user friendly. The integration of
to 3GPP or 3GPP2 mobile phone. an automatic scheme that provides automatically
GBA is not only used for a large range of ap- anapplication-specificusername/passwordpairto
plications that reside in a mobile network, but also the browser request is therefore desirable for the
forfixedbroadbandaccesssecurityandtheir access From a user perspective, the
mobile environment.
devices (e.g. PC or laptop). The work on GBA for authentication would either be seamless (i.e., the
the next 3GPP Release 8 and the integration of user does not even notice that this is ongoing) or
GBA into future networks B3G will be discussed it would be very similar to the user experience,
in the next section. In this section we outline the where the password is stored by the browser. The
different existing applications that use GBA as a technical side of the procedure runs as follows:
security enabler. We will not go into the details of
each application, but focus on the usage of GBA. 1. User contacts a service that requires HTTP
digest authentication.
Generic Application Security in Current and Future Networks
2. The service triggers the terminal to generate application servers, depending on the request.
anapplication-specificsharedsecret. The AP Thismayisadd an assertion of identity of the
then established using GBA without further subscriber for use by the application server, when
user interaction. the AP forwards the request from the terminal to
3. The transaction ID are put into the username the application server.
fieldandthesharedapplication-specific secret
Operators can also utilize GBA for device
isputintothepasswordfield. management. For this use case, a device manage-
4. The data is validated and the user can access ment server takes the role of a NAF and establishes
the service. a HTTPS tunnel to the UICC as outlined in the
The details of this procedure can be found in 3GPP technical report (3GPP TR 33.918, Release
theGPP 3 specificationsGPP 3 ( TSRelease
, 02. 3 7). Through this secure tunnel the device manage-
6) and (3GPP TS 33.222, Release 6). ment information is then sent.
Web sites that request confidential Thedata
Europeanare Telecommunications Standards
often secured using TLS 1.0 or Secure Socket Institute (ETSI) has a Smart Card Platform Group
Layer (SSL) 3.0, which can be considered equiva- thathasdefinedsomeusecases,like - mobilebank
lent. GBA was integrated into the usage of TLS ing and digital rights management (DRM), which
between a mobile terminal and an application server require the existence of a secure channel between
in 3GPP Release 6 (3GPP TS 33.222, Release 6). the terminal and the UICC smart card. They asked
At the end of 2005 the Internet Engineering Task GPP
3 todefinethekeymanagementforthis - func
ForcespecifiedtheusageofPre-SharedKey TLS
tionality. This was done based on GBA in the 3GPP
in the IETF (RFC 4279) (Eronen & Tschofenig, technicalspecificationGPP 3 ( TS,0Release
1 .3
2005). 3GPP integrated the PSK TLS, since pre- 7) and is expected to be part of 3GPP Release 7. It
shared key computations are very suitable for low remainstobeseenwhichoftheusecasesdefined
capability devices like mobile phones (3GPP TS by the smart card group will be implemented.
33.222, Release 6). It should also be noted, that
PSK TLS can also be used with IETF Datagram network Agnostic usage of gbA
TLS (Rescorla & Modadugu, 2006).
A user may access a service directly or through GBA is also used outside of the classical mobile
an authentication proxy (AP), that takes care of environment of GPP. 3 The OMA defines bearer
the authentication-related tasks on behalf of the agnostic functionalities and services. Since au-
actual application server. If an operator offers thentication is in most cases bound to the bearer
many services, then he/she may wish to deploy some specifications integrate the authentica
such an authentication proxy to centralize the of the underlying bearer and provide additional
user authentication task in one node. An AP is an functionality for the case that another access type
HTTP reverse proxy which takes the role of the is used. GBA is used by the following OMA ap-
GBA NAF node (the application server) for the plications:
terminal. The AP handles the TLS security relation
with the terminal and is the TLS end point. GBA • OMA broadcast smart card profile
is used to ensure for the application server that (BCAST)defines
0 27 ) ( theusageofasmart
the service request is coming from an authorized cardprofileforcontentprotectionusingafour-
user. The AP has the Zn interface towards the BSF layer key hierarchy based on GBA (similar
and the Ua interface towards the terminal. When to MBMS key hierarchy.
a HTTPS request is sent from the terminal to the • In OMA presence and availability working
application server that resides behind an AP, then Group (PAG) (2006) the content server relies
the AP terminates the TLS tunnel and performs on external authentication and authorization
the terminal authentication. The AP proxies the done for the presence sources that may reside
HTTP requests received from UE to one or many
Generic Application Security in Current and Future Networks
on the mobile terminal, and watcher nodes. where a shared secret between a terminal and a
For this authentication and authorization GBA network server is needed.
as defined in GPP 3 technical specification
(3GPP TS 33.222, Release 6) can be used for fixed—Mobile convergence and gbA
that purpose, acting as an AP.
• OMA secure user plane location (SUPL) The term converging networks has become a key
defines
0 2 6) ( theusageofhowtheterminal phrase in latest network evolution work. The trend
can acquire the location of itself from the tomergemobileandfixednetworkbackendsystems
network, and this messaging between the is caused by several factors:
terminal and the network can be optionally
protected by GBA. • Fewer and larger operators: There is a
• OMA XML document management (XDM) general consolidation trend in the industry,
and OMA aggregation proxywerespecified which results in large, often international,
by the OMA presence and availability work- operators.Theseoperatorsoftenhaveafixed
inggroup(PAG)These
. 0 2 6) ( specifications network and a mobile network. For them it
definemechanismshowterminals - canman is important that they can use one backend
age XML documents in the network servers. to serve both access types.
The authentication can be optionally by based • New players: The boundaries between
on GBA, and the authenticating node in the technologies are vanishing, as voice over IP
network can be either the XDM server itself, shows us. These new players appear and want
or it can be centralized using aggregation to utilize the existing technology, but on the
proxy, where all traffic to XDM servers isother hand want to preserve the investments
routed through the proxy. into infrastructure. Especially, for fixed
• OMA common security functions (CSF) networks the investments are substantial.
(OMA Security Working Group, 2005) Multi-network devices are no longer future,
definesagenericGBAProfileGBAProfile) ( but commercially available. This results in
that acts as an enabler and that other OMA extensions to the existing “pure” mobile
applications and enablers can use when they specific standards to integrate - the new re
aredefiningtheusageofGBAinthem. quirements and network types.
Another important standardization body, where • Seamless services: The general mobility
GBA fits in is the Liberty Alliance Project. Thecreates high user expectations, when
trend
Liberty Alliance Project enables identity federation somethingworkswithafixednetwork,then
(alias single sign-on) and Web service security. It it is also expected that is works seamlessly
is a non-mobile centric consortium that uses the in a mobile environment. This can only be
provided user authentication, but does not specify provided with a unified backend service
the actual means of authentication and its context. system.
This is left to the standardization bodies, which Thefixedmobileconvergenceisfocusedaround
define the actual authentication the method. GPP
3
IP multimedia subsystem (IMS), but GBA as
integrated their GBA to be used seamlessly with a general security enabler for applications moved
the Liberty Alliance Project Identity Federation quickly into the scene. The most prominent drivers
Framework and the Web Service Framework. The ofmobileandfixedconvergenceoutsideofGPP 3
detailsofthisinterworkingarespecified in GPP
3
are TISPAN and CableLabs.
technical report (3GPP TR 33.980, Release 6). The telecoms & Internet converged services
These are only some examples of the possible & protocols for advanced networks (TISPAN) is
usage of GBA outside of 3GPP, many non-stan- a standardization body of the ETSI (n.d.). TISPAN
dardized use cases are also enablers. GBA could focuses on fixed networks and migration from
be utilized for enterprise access or other use cases
0
Generic Application Security in Current and Future Networks
Generic Application Security in Current and Future Networks
can be expected with the progress of the work. On secret can then be used for many purposes, like
a high level, the basic trust relationship between username/password authentication, certifica
theMobileIPcommunicationpartnersdefines enrollment,theDRM, and so forth. GBA was origi-
needed security associations independently of the nally designed by the 3GPP, but has recently been
actual protocol version used. taken up for long term evolution networks, fixed
There is the trust relationship between the ter- broadband access, and cable networks.
minal and the 3GPP authentication, authorization
and accounting (AAA) server that resides in the
user’s home network and is in charge of the user AcknowlEdgMEnt
authentication (e.g., using AKA) and authorization.
This trust relationship is founded on the user’s Part of this work has been performed in the frame-
subscription to his/her home network and secured work of the IST project System Engineering for
via a shared secret that can be assumed to be long- Security and Dependability SERENITY and the
lived. The mobile IP authentication is independent Service Platform for Innovative Communication
of the access authentication, which is analogous to Environment (SPICE) project. The authors would
the case, where a user uses a service and requires like to acknowledge the contributions and review
authentication there. Hence, GBA could be could of their colleagues from Nokia Corporation.
be used for mobile IP key provisioning.
The second trust relationship is between the
3GPP Mobile IP (MIP) HA and the user’s terminal, rEfErEncEs
so that the HA can act on behalf of the terminal
for the tasks related to mobility. The relationship 3rd Generation Partnership Project 2 (3GPP2) TS
between these two entities is established dynami- S.S0109-0. (2006). Generic bootstrapping archi-
cally (in the sense that there is no pre-provisioned tecture (GBA) framework, version 1.0. Retrieved
shared secret) so the integrity of the MIP signaling from http://www.3gpp2.org/Public_html/specs/
can be ensured and depends on the actual mobile S.S0109-0_v1.0_060331.pdf
IP version used, that is, Mobile IP4 or Mobile IP6
(or DS-MIPv6). 3GPP has at the point of writing 3rd Generation Partnership Project (3GPP) Work
only made the decision for Mobile IP4. The deci- Item Description S3-060764. (2006, November).
sions if MIPv6 or DS-MIPv6 will be used are not IMS enhancements for security requirements in
yet taken in 3GPP (status December 2006). support of cable deployments. Retrieved from
The third trust relationship is between the http://www.3gpp.org/ftp/tsg_sa/WG3_Security/
3GPP MIP HA and the 3GPP AAA server. The TSGS3_45_Ashburn/Docs/
trust between those nodes is high, since they are 3rd Generation Partnership Project (3GPP) TS
part of the same network for non-roaming case. 24.109. (Release 6). Bootstrapping interface (Ub)
For non-roaming cases there exist interoperator andnetworkapplicationfunctioninterface(Ua);
security protocols, like network domain security Protocol details. Retrieved from http://www.3gpp.
(NDS)/IP securityor IPsec. This trust relation- org/ftp/Specs/html-info/24109.htm
ship does not require GBA, since there is no user
involvement. 3rd Generation Partnership Project (3GPP) TS
29.109. (Release 6). Generic authentication ar-
chitectureGAA) ( ;ZhandZninterfacesbasedon
conclusIon the Diameter protocol;Retrieved
Stage .3 from
http://www.3gpp.org/ftp/Specs/html-info/29109.
The GBA allows secure provisioning of a shared htm
secret to a mobile terminal and an application 3rd Generation Partnership Project (3GPP) TS
server based on cellular authentication. This shared 33.110. (Release 8). Key establishment between
Generic Application Security in Current and Future Networks
UICC and a terminal. Retrieved from http:// 3rd Generation Partnership Project (3GPP) TR
www.3gpp.org/ftp/Specs/html-info/33110.htm 33.920. (Release 7). SIM card based generic boot-
strappingarchitectureGBA) ( Early
; implementa
-
3rd Generation Partnership Project (3GPP) TS
tion feature. Retrieved from http://www.3gpp.
33.203. (Release 7). G3 security; Access secu -
org/ftp/Specs/html-info/33920.htm
rity for IP-based services. Retrieved from http://
www.3gpp.org/ftp/Specs/html-info/33203.htm 3rd Generation Partnership Project (3GPP) TR
33.978. (Release 6). Security aspects of early
3rd Generation Partnership Project (3GPP) TS
IP multimedia subsystems (IMS), version .065
33.220. (Release 6). Generic authentication archi-
Retrieved from http://www.3gpp.org/ftp/Specs/
tectureGAA) ( Generic
; bootstrappingarchitecture.
html-info/33978.htm
Retrieved from http://www.3gpp.org/ftp/Specs/
html-info/33220.htm Calhoun, P., Loughney, J., Guttman, E., Zorn,
G., & Arkko, J. (2003). Diameter base protocol
3rd Generation Partnership Project (3GPP) TS
(RFC 3588). Retrieved from http://www.ietf.
33.221. (Release 6). Generic authentication archi-
org/rfc/rfc3588.txt
tectureGAA) ( Support
; forsubscribercertificates.
Retrieved from http://www.3gpp.org/ftp/Specs/ Eronen, P., & Tschofenig, H. (Eds). (2005). Pre-
html-info/33221.htm shared key ciphersuites for transport layer security
(TLS) (RFC 4279). Retrieved from http://www.ietf.
3rd Generation Partnership Project (3GPP) TS
org/rfc/rfc4279.txt
33.222. (Release 6). Generic authentication ar-
chitectureGAA) ( ; Access to network application
European Telecommunications Standards Institute
functions using hypertext transfer protocol over (ETSI). Telecoms & Internet converged services
transport layer security (HTTPS). Retrieved from & protocols for advanced networks (TISPAN).
http://www.3gpp.org/ftp/Specs/html-info/33222. Retrieved from http://www.etsi.org/tispan
htm
European Telecommunications Standards Institute
3rd Generation Partnership Project (3GPP) TS (ETSI) TS 187 003. (2006). Telecoms & Internet
33.223. (Release 8). Generic authentication converged services & protocols for advanced
architecture GAA) ( ; Generic bootstrapping
- networksar(TISPAN). NGN security—Security
chitecture (GBA) push function. Retrieved from architecture, version 1.1.1. Retrieved from http://
http://www.3gpp.org/ftp/Specs/html-info/33223. www.etsi.org/tispan
htm
Gerstenberger, V., Lahaije, P., & Schuba, M.
3rd Generation Partnership Project (3GPP) TS (2004). Internet ID—Flexible re-use of mobile
33.246. (Release 6). 3G security, security of mul- phone authentication security for service access.
timedia broadcast/multicast service (MBMS). In Proceedings of the th 9 (NordSec)
, Helsinki,
Retrieved from http://www.3gpp.org/ftp/Specs/ Finland (pp. 58-64).
html-info/33246.htm
Open Mobile Alliance (OMA) BCAST Working
3rd Generation Partnership Project (3GPP) TR Group. (2006). Broadcast service and content
33.918. (Release 7). Generic authentication archi- protection for mobile broadcast services, version
tectureGAA) ( Early
; implementationofhypertext1.0. Retrieved from http://www.openmobileal-
transfer protocol over transport layer security liance.org/
(HTTPS) connection between a universal integrat-
Open Mobile Alliance (OMA) Location Work-
ed circuit card (UICC) and a network application
ing Group. (2006). Secure user plane location
function (NAF). Retrieved from http://www.3gpp.
architecture (SUPL), version 3.0. Retrieved from
org/ftp/Specs/html-info/33918.htm
http://www.openmobilealliance.org/
Generic Application Security in Current and Future Networks
Open Mobile Alliance (OMA) Presence and Avail- Cellular Authentication: Cellular authentica-
ability Working Group (PAG). (2006). Presence tion is the authentication process that is used when
SIMPLE architecture, version 2.0. Retrieved from a mobile phone is attached to a network (e.g., GSM
http://www.openmobilealliance.org/ or UMTS network). This authentication is based on
a smart card that is inserted in the mobile phone.
Open Mobile Alliance (OMA) Presence and
Availability Working Group (PAG). (2006). XML Generic Authentication Architecture (GAA):
document management architecture (XDM), ver- GAA is an architecture that is built on top of GBA
sion 1.0. Retrieved from http://www.openmobile- that utilizes the shared secret to gain access to
alliance.org/ service.
Open Mobile Alliance (OMA) Security Work-
Generic Bootstrapping Architecture (GBA):
ing Group. (2005). OMAGBAprofile,version.0 1
GBA is an architecture where cellular authentica-
Retrieved from http://www.openmobilealliance.
tion is used to bootstrap a shared secret between
org/
a mobile phone and a network node.
Rescorla, E., & Modadugu, N. (2006). Data-
gram transport layer security (RFC 4347). Re- Mobile Application: Mobile application is
trieved from http://www.ietf.org/rfc/rfc4347.txt an application that resides on a server and can be
accessed or consumed by a mobile device. The ap-
plication may require a dedicated software element
kEy tErMs in the mobile terminal (e.g., for mobile TV).
Second Generation Generic Bootstrapping
Application Security: Application security
Architecture (2G GBA): 2G GBA describes the
encompasses a large range of measures taken to
usage of the GBA with legacy SIM smart cards. It
prevent incidents with respect to the security policy
does not contain the integration of legacy network
of an application or the underlying framework.
nodes.
Application security is realized through design
and deployment of the application. Universal Integraged Circuit Card (UICC):
UICC is the smart card (e.g., SIM card) used in
Authentication And Key Agreement (AKA):
mobile terminals in GSM and UMTS networks.
AKA is a mechanism where a mobile device and
mobile network operator authenticate and distrib-
ute shared key(s) to be used between them. This
process is based on a long-term shared secret that
is in the mobile terminal (namely in UICC, e.g.,
SIM card), and mobile network operators databases
(e.g., Home Location Register [HLR]). GBA is
based on this process.
Authentication: Authentication is the attempt
to verify the digital identity of the sender of an
authentication request.
Chapter XXV
Authentication,
Authorization, and Accounting
(AAA) Framework in Network
Mobility (NEMO) Environments
Sangheon Pack
Korea University, South Korea
Sungmin Baek
Seoul National University, South Korea
Taekyoung Kwon
Seoul National University, South Korea
Yanghee Choi
Seoul National University, South Korea
AbstrAct
Network mobility (NEMO) enables seamless and ubiquitous Internet access while on-board vehicles.
Even though the Internet Engineering Task Force (IETF) has standardized the NEMO basic support
protocol as a network layer mobility solution, little studies have been conducted in the area of authenti-
cation, authorization, and accounting (AAA) framework that is a key technology for successful deploy-
ment.Inthisarticle,wefirstreviewtheexistingAAAprotocolsandanalyzetheirsuita
environments. After that, we propose a localized AAA framework to retain the mobility transparency as
the NEMO basic support protocol and to reduce the signaling cost incurred in the AAA procedures. The
proposed AAA framework supports mutual authentication and prevents various threats such as replay
attack, man-in-the-middle attack, and key exposure. Performance analysis on the AAA signaling cost is
carriedout.NumericalresultsdemonstratethattheproposedAAAframeworkisefficien
NEMO environments.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Figure1.MobileIPv6AAAarchitecture
HA
AAAh
Internet (IPv6)
Home network
AAAv
Ar Ar
foreign link 1 foreign link 2
foreign network
Mobile node
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
1999), which is globally unique. An MN and its receipt of the HOR message, the HA creates a key to
AAAh have a long-term key, and communication establish a security association (SA) with the MN,
between the AAAv and AAAh is secure. and replies with a Home-Agent-MIPv6-Answer
Themessageow fl intheDiameterextension for (HOA) message to the AAAh. Then,
Command
Mobile IPv6 is illustrated in Figure 2. When enter- the AAAh constructs the AA-Registration-Answer
ing a new network or at power up, an MN listens Command (ARA) message that has an authen-
to an AR’s router advertisement (RA) message tication result and sends it to the AAAv. When
which has a local challenge and a visited network receiving the ARA message from the AAAh, the
identifier. Then, the MN sends an
authentication AAAv stores the authentication result locally and
request (AReq) message to the AAA client (i.e., AR) then forwards the message to the AAA client. The
based on the security key shared with its AAAh. AAA client converts the ARA message into the
When the AAA client receives the AReq message, authentication reply (ARep) message, in order to
it creates an AA-Registration-Request Command inform the MN of the authentication result from
(ARR) message and sends it to the AAAv. Then, the AAAh and deliver the established key (for the
the AAAv relays it to the AAAh of the MN. When SA) to the MN.
receiving the ARR message from the AAAv, the
AAAh authenticates the MN by means of the
NAI and sends a Home-Agent-MIPv6-Request
Command (HOR) message to the MN’s HA. Upon
Figure2.MessageflowintheAAAprotocolforMobileIPv6
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
locAlIzEd AAA frAMEwork In When the MONET changes its point of attach-
nEMo EnvIronMEnts ment, the MR needs to be authenticated and autho-
rized before it accesses a new domain in the same
system Architecture foreign network (i.e., intra-domain handoff) or a
new foreign network (i.e., inter-domain handoff).
In this section, the AAA architecture in NEMO To accomplish this, the MR and AR authenticate
environments is introduced with basic assumptions each other through a mutual authentication pro-
and concepts (e.g., SA and challenge/response cedure that involves both the AAAH server of the
authentication). Figure 3 illustrates the reference MR and the AAAL server of the AR. An attendant
AAA architecture in NEMO environments based (which is the same as an AAA client) is an entity
on the Diameter protocol. that triggers authentication procedures to the AAA
The AAA architecture consists of multiple system. In Mobile IPv6 networks, ARs normally
autonomous wireless networks, each of which is act as the attendants for an MN. In the proposed
called a domain. Each domain has an AAAH server AAA protocol, the AR serves as an attendant for
and/or an AAAL server in order to authenticate any the MR’s authentication, whereas the MR serves
node in a Diameter-compliant manner. The AAAH as an attendant for VMN’s authentication. In the
server of the MR has the profile of the MR latter
and case, the MR broadcasts attendant advertise-
it shares a long-term key with the MR. Likewise, ment messages and receives authentication request
the AAAH server of the VMN shares a long-term messages from VMNs within a MONET. In other
key with the VMN. The AAAL server is in charge words, an attendant (an AR or MR) requests the
of an AAA procedure for a visiting MONET (i.e., AAAL server to authenticate the MONET (the
VMNs and MRs). The trust relationship between MR or VMN). When the AAAL server receives
the MR’s AAAH server and the AAAL server the authentication request, it verifies the id
in the visited network is maintained through the of the MONET by cooperating with an AAAH
Diameter protocol. server. In terms of SAs, we assume that the MR’s
AAAH server and the VMN’s AAAH server have
HA HA home link of Mr
home link of vMn
AAAHvMn AAAHMr
Internet (IPv6)
AAAl
Ar
foreign link 3
Ar
foreign link 1
Ar
Ar foreign link 4
foreign link 2
Mr
nEMo
Mnn Mnn
: movement of MonEt
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
a pre-established SA. In addition, it is assumed that for dynamic keys K LOCAL and K HOME, and their sizes
the MR and LFNs have already authenticated each are 32 bytes. Note that a dynamic key is used to
other by a mechanism, which is beyond scope of establish a dynamic SA while a long-term key is
this chapter. to establish a long-term SA. Other notations will
Notations used in this chapter are summarized be elaborated later.
in Table 1. A local challenge (LC) is a random IntheproposedAAAprotocol,wedefinetwo
number for authentication procedures. An MR or Internet Control Message Protocol (ICMP) mes-
VMNencryptstheLCusingapre-definedSAwith sages (Conta & Deering, 1998), Attendant Solicit
its AAAH server. The encrypted value is called a and Attendant Advertisement messages, which are
credential (CR), which is used to authenticate an similar to Router Solicit and Router Advertisement
MRthatcreatesit.MRsandVMNsareidentified messages, respectively. In these messages, we
by their NAIs and a replay protection indicator introduce a new Attendant advertisement option
(RPI), which is used to protect from a replay at- and it is used for the authentication of VMNs for an
tack. Either a timestamp or a random number can intra-domain handoff. In addition, several Diameter
be used as an RPI. The size of the K AAA field is messages, for examples, AA-Mobile-Router-Re-
128 bytes by assuming a public key cryptography questandAA-Mobile-Router-Answer,aredefined.
algorithm. We adopt a symmetric key cryptography Their functions will be described later.
Typical Length
Field Meaning
(bytes)
LC local challenge 8
MC mobile challenge 8
H@ home address 16
00
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Figure5.MR’sAAAprocedureforinfra-domainhandoff
visiting Mobile node (vMn) to the MR’s AAAH server (AAAHMR) through a
Authentication secured bi-directional tunnel. When the AAAHMR
receives the AMR message, it sends the AMR mes-
A VMN is a visiting MN that accesses the Internet sage to the AAAHVMN that has a shared SA and
through an MR in a MONET. According to the requests the AAA procedure for the VMN. Then,
NEMO basic support protocol, the VMN does not the AAAH VMN
authenticates the VMN. During
need to know whether its attached router is the these steps, K HOME, K LOCAL, SPHOME, and SPLOCAL
AR or the MR. Therefore, the AAA protocol for are created, which is similar to the inter-domain
VMNs should be consistent with this requirement. AAA procedure of the MR. After completion of
The VMN in a MONET uses the home network AAA procedures, the VMN registers its CoA
prefix of the MR as its IPv6 network prefix. configured
(
- Ac usingtheMNP)withitsHA.
cordingly, the VMN will deem it to be in the MR’s After the initial authentication and binding
home network. For VMN authentication, the MR update procedures, VMNs within a MONET do
serves as an attendant for VMNs and the MR’s not need to know whether the MONET changes
AAAH server serves as an AAAL server. its point of attachment or not. Thus, VMNs do
Figureillustrates
6 messageows fl forthe AAA to register their locations to their HAs
not have
procedure when a VMN is attached to a MONET. even though the MONET hands off. This mobility
As mentioned previously, the MR acts as an at- transparency is the key advantage of the NEMO
tendant. Hence, the MR broadcasts Attendant Ad- basic support protocol. However, if the mobility
vertisement messages periodically or responds to transparency is strictly provided, the AAAL server
an Attendant Solicit message from the VMN with in the foreign network cannot detect the existence
an Attendant Advertisement message. The VMN of VMNs. In other words, the mobility transpar-
creates a CR using a pre-shared SA with its AAAH ency is beneficial to reduce the binding update
server (AAAHVMN) and sends an AReq message to traffic, however, it makes the accounting/ billing
the MR. Then, the MR converts the AReq message of VMNs’ network usages hard. To address this
into a Diameter message, AMR, and then sends it problem, in our protocol, the AAAL server in the
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Figure6.VMN’sAAAprocedure
foreign domain accounts the total network usage MR sends an Attendant Advertisement message
of the MONET (not individual VMNs) and then with a set R bit when the foreign domain has a
this collective accounting/billing information is different policy and thus a new AAA procedure
delivered to the MR’s AAAH server. At the same is required. Hence, from the Attendant Advertise-
time, the MR’s AAAH server maintains the ac- ment message, the VMN determines whether it
counting/billing information for the MR as well should perform a new AAA procedure or not. We
as individual VMNs.1 Consequently, the MR’s assume that each network domain can have different
AAAH server can differentiate the accounting/bill- policies, so that the VMN performs a new AAA
ing information for MRs and VMNs. In addition, procedure for each inter-domain handoff.
we assume that the MR’s AAAH server and the
VMN’s AAAH server have a trust relationship
and a shared SA. Therefore, the accounting/billing sEcurIty AnAlysIs
information collected at the MR’s AAAH server is
securely transferred to the VMN’s AAAH server In this section, we analyze the proposed AAA
for suitable billing. protocol in terms of mutual authentication and
In addition, the mobility transparency causes security attacks (e.g., key exposure, replay attack,
another problem, that is, how to authorize VMNs and man-in-the-middle attack).
when the MONET moves to a foreign domain with
a different billing policy. To solve this problem, an
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
between two parties without either party knowing sIgnAlIng cost AnAlysIs
that the link between them has been compromised.
In NEMO environments, we can imagine an attack ReducingtheAAAtrafficisanimportant - require
that a malicious MR relays authentication messages ment in NEMO environments where a MONET
and it intends to use network resource illegally. moves with a high velocity and AAA procedures
Figure 7 illustrates the man-in–the-middle attack are frequently performed (e.g., train or car). There-
by a malicious MR for the inter-domain authentica- fore, through the analytical model, we quantify
tion. The malicious MR acts as an AR and relays the AAA cost (CAAA,) which is defined as the
authentication messages between the victim MR volume of AAA-related messages delivered over
and the AR. After the authentication procedures, the network and the unit of CAAA is bytes * hops
the malicious MR still can relay all of the (Lo, Lee, Chen, & Liu, 2004).
traffic
between the victim MR and AR. However, the Let i and j be the numbers of intra-domain hand-
malicious MR cannot use any network resource offs and inter-domain handoffs for each session,
because it has no knowledge of K LOCAL and K HOME. respectively. It is assumed that the subnet residence
Namely, if a fresh session key is established, the time of the MONET follows a general distribu-
malicious MR cannot further compromise the tion with mean 1/ S , which probability density
authentication procedure between the MR and function (PDF) is f S(t) and its Laplace transform
*
the AAAL server. is f S(s). In addition, the domain residence time of
the MONET follows a general distribution with
mean 1/ D, whose PDF is f D(t) and its Laplace
transform is f *D(s). When the inter-session arrival
time is assumed to be an exponential distribution
with rate I , the PDFs of i and j are respectively
given by (Lin, 1997)
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
1 MR MR
1 − [1 − f S ( I )] i= 0 where Cintra and Cinter are the costs for intra-
*
(3)
10 49 1 1 2, 5, 10 2, 5 2, 5
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
AAA = ∑ C AAA ( k ) ⋅ ( k )
As shown in Figure 8, the proposed AAA
C VMN V MN
(7) protocol has a smaller AAA cost than the non-
k
localized AAA protocol. Also, it can be seen that
MR
In this section, we evaluate the effects of mo- C AAA increases as µS increases (i.e., as the subnet
bility and the distance between a foreign network residence time of the MONET decreases). This is
and a home network on the AAA cost (i.e., CAAAMR because the number of inter- or intra-handoffs is
and CAAAVMN). The parameters and the size of each reduced when the mobility (i.e., µS) is low. Figure 8
AAA message are shown in Tables 2 and 3, respec- also indicates the AAA cost variation for different
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Figure9.TheAAAcostofaVMN
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
0
Authentication, Authorization, and Accounting Framework in Network Mobility Environments
Section III
Security in Ad Hoc and Sensor
Networks
Chapter XXVI
Security in Mobile Ad Hoc
Networks
Bin Lu
West Chester University, USA
AbstrAct
Mobileadhocnetwork(MANET)isaself-configuringandself-maintainingnetworkcharacteri
dynamic topology, absence of infrastructure, and limited resources. These characteristics introduce
security vulnerabilities, as well as difficulty in providing security services to MAN
tremendous research has been done to develop security approaches to MANETs. This work will discuss
the existing approaches that have intended to defend against various attacks at different layers. Open
challenges are also discussed in the chapter.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in Mobile Ad Hoc Networks
Security in Mobile Ad Hoc Networks
of DoS attack, namely “sleep deprivation torture” • Authentication ensures that the identity of a
attack (Stajano & Anderson, 1999), by forcing a node in communication is indeed the entity
node to relay packets. it declares to be. Authentication can prevent
Ad hoc routing requires the participation of identity masquerade and unauthorized access
all the nodes in the network. MANETs are peer- to resource or information. Authentication
to-peer, namely all the nodes play the same roles is usually provided by digital signature or
as end hosts and routers as well. However, some possession of a secret (such as a key). Due
selfishnodesmayrefusetoforwarddatapackets to stringent resource constraint of MANETs,
or routing requests for other nodes to save energy the authentication protocols for the traditional
or communication resources. Some more dramatic Internet are not applicable because these
attacks by malicious nodes include dissemination protocols consume too much computational
of false routing information, sending frequent resources. Some authentication approaches
routing updates to achieve denial-of-service, and that use one-way hash function, which proves
deviatingtrafficfromlegalroute. to be faster than other cryptographic opera-
Like in the traditional wired networks, attacks tions, have drawn much attention because of
can target the security mechanisms as well. For theirefficiency.
examples, cryptographic operations can be at risk • Integrity ensures that a message in trans-
if a secret key is intercepted and compromised, or mission has not been maliciously altered or
a trusted authority is brought down. These attacks corrupted. A message can be corrupted due
are not intrinsic to wireless networks, but they to presence of malicious attacks, or com-
are difficult to prevent and detect in the context
munication failures, which may be common
of MANETs. on the lossy channels of ad hoc networks.
In addition to the traditional approaches
security services for the Internet, some researchers proposed
that a node could perform integrity check by
The services that should be provided in MA- overhearing the next hop when this next hop
NETs are the same as those in the wired networks, forwards the packet on along the path. This
which include availability, authentication, integ- overhearing technique can be easily used in
rity, confidentiality , and nonrepudiation. ad hoc networks because of the open nature
of the communication channels.
• Availability ensures that network services • Confidentiality guarantees that sensitive
are provided as supposed to be. In an ad hoc information is not disclosed to unauthorized
network without protection of proper security entities. Encryption used in wired networks
mechanisms, its service performance and is also used for MANETs.
availability can be easily compromised. For • Nonrepudiation ensures that the origin
example, signal jamming at the physical and of a message cannot deny having sent the
media access control layers can seriously message. Nonrepudiation allows a malicious
interfere with communications or even bring node who has sent false information to be
down the physical channels. A malicious or accused by legitimate users, and therefore
selfishnodecanalsodisruptroutingservices, is important in intrusion detection. Asym-
which may result in network partition. To metric key cryptography has been used to
solve the problem, some economic models provide nonrepudiation for both the Internet
have been proposed to stimulate cooperation and MANETs.
among nodes. Monitoring techniques are also
used to ensure proper provision of network Other security services for MANETs include
services. For instance, a node in promiscuous authorization and accounting. But to our best of
mode can monitor the communications in the knowledge, not much research work has been pub-
vicinity.
Security in Mobile Ad Hoc Networks
Security in Mobile Ad Hoc Networks
is built by applying a one-way hash function re- A malicious node can also transmit strong noise
peatedly. To create a one-way hash chain, a node signals to prevent messages in the victim vicinity
should choose a random value and then generate a from being received.
list of hash values, h0, h1, h2, ..., hn, from the random No matter a node is selfish or malicious, the
value, where hi+1 =H( hi)for0≤ i < n, where H is consequences of their misbehaviors can be severe
the hash function. To use a one-way hash chain and disastrous, and therefore should be addressed
for authentication, hn should be distributed first. problems with essential concerns. The
as security
Consecutive element, hi, can be authenticate by security solution is to detect misbehaviors and
applying H to previously distributed element, hj to locate the misbehaving nodes in a timely and
( j > i), for ( j - i) times. reliable manner. This is not a trivial task due to
Monitoring technique has been proved an the random nature of the MAC protocols and the
effective way to provide availability to routing shared and volatile medium. It is especially dif-
advertisement or data packet forwarding, and to ficult to differentiate between misbehavior a
promote fair share of bandwidth at MAC layer. an occasional deviation caused by impairment of
To monitor, nodes turn on promiscuous mode to wireless link.
listen to communication of neighboring nodes in Several approaches have been proposed to
order to ensure proper transmission of frames or handle selfish and malicious misbehaviors at th
packets. MAC layer1.
Reputation mechanisms have been used to- Oneapproachistoaddressselfishmisbehaviors
gether with cooperation mechanisms to enhance byusinggametheoretictechniquestofindastate
security in routing and MAC layer protocols. It where the misbehaving nodes cannot gain any
will be discussed in “Cooperation” topic in a later advantage over the well-behaved nodes (Cagalj,
section. Ganeriwal, Aad, & Hubaux, 2004; Konorski, 2001,
2002; Mackenzie & Wicker, 2000, 2003; Michiardi
wireless MAc security & Molva, 2002b). This approach has also been used
at network layer to secure routings.
MAC protocols for wireless networks such as IEEE Konorski (2001, 2002) proposes a game theo-
802.11 (1999) use a contention resolution mecha- retic model that targets selfishnodes who fail to
nism for sharing the open communication channel. adhere to MAC protocols by waiting for smaller
This resolution mechanism is fully distributed and backoff intervals than supposed to be. By apply-
requires cooperation among all the participating ing the noncooperative game model (Jones, 2000),
nodes. The participating nodes are expected to theapproachmodifiesthebackoffalgorithmusing
perform a random backoff before transmission to blackbursts and leads the game to a Nash equilib-
reduce contention and to ensure a reasonably fair rium point (Nash, 1950). The approach requires
share of the channel. accurate measurement of the duration, which is
However, in an untrusted network environment difficulttograntinMANETs.Cagaljetal.)024(
whereselfishormaliciousnodesmaybeincluded, developed a strategy that employs two Markov
cooperation cannot always be guaranteed. A self- chains (Jha, Tan, & Maxion, 2001) to derive from
ish node may intentionally deviate from MAC contention windows the access possibilities of the
protocols to maximize its throughput by obtain- misbehaving nodes and the well-behaved nodes,
ing an unfair share of the bandwidth. A malicious respectively. The approach can reach the Nash
node may intend denial-of-service (DoS) attacks equilibriumwithmultipleselfishnodes.
by injecting frames on the wireless medium con- Another approach, which has been mostly used,
tinuously, or intermittently with the intention of is to monitor the neighboring node by overhear-
conserving its own energy. The injection may cause ingandthenpenalizetheidentifiedmisbehaving
radio collisions and transmission jamming, and nodes (Gupta, Krishnamurthy, & Faloutsos, 2002;
thus repeated backoffs among legitimate nodes. Kyasanur & Vaidya, 2005; Radosavac, Baras, &
Security in Mobile Ad Hoc Networks
Koutsopoulos, 2005; Radosavac, Cardenas, Baras, ity of other compromised nodes, availability of
& Moustakides, 2006; Raya, Hubaux, & Aad, 2004; routing information, together with the fairness,
Xu, Trappe, Zhang, & Wood, 2005). determine the efficacy of the DoS attacks. Xu et
Raya et al. (2004) deals with MAC misbehaviors al. (2005) also provide interesting insights into
in wireless hot-spot communities, such as inten- jamming attacks at MAC layer. They proposed
tionally scramble frames or illegal manipulation four jamming attack models that can be used by
of backoff intervals also. A sequence of observa- an adversary who intend DoS attacks: constant,
tions is required to detect misbehaviors based on deceptive, random, and reactive jamming. The
the extent to which MAC protocol parameters are effectiveness of the four jammer strategies is
manipulated. evaluated by implementation of a prototype using
KyasanurandVaidyapropose )05 2 ( modifica - Berkeley Motes platform. Different measurements
tions to IEEE 802.11, such as letting the receiver for detecting jamming attacks are proposed. The
of the particular transmission decide whether the authors found that not a single measurement is
sender has deviated from the protocol. It is proposed sufficient to conclusively differentiate malici
to use additional nodes in the vicinity to detect col- attacks from link impairment.
lusions between the receiver and the sender. The To reliably detect misbehaviors at MAC layer,
authors also present a diagnosis scheme, which accurately and reliably monitoring the transmis-
uses a moving window and thresh to capture the sion pattern from a node is a critical factor and
misbehaving nodes. A scheme for punishing a still worth further investigation.
selfish node is also presented. Simulation results
show that the detection and penalty schemes are secure routing Protocols
effectiveinhandlingselfishMACmisbehaviors.
Radosavac et al. (2005) propose to let a node Routing protocols for MANETs are very different
compute the backoff values of its neighboring node from those existing Internet protocols, because
based on the RTS (request-to-send), CTS (clear-to- MANETs are self-organized and the protocols need
send), or ACK (acknowledgement) messages. The to cope with frequent topology change, open shared
problem is cast into a “minimax robust detection medium, and resource restrictions. In addition, all
framework,” in which the worst-case instance of the nodes also serve as routers, participating in route
attack will be identified and a detection discovery,rule of
route maintenance, and packet delivery.
optimum performance is generated with uncer- Thesecharacteristicshaveintroducedsignific
tain information. The approach requires clock difficultytoroutingsecurityinMANETs.
synchronization, which is considered not realistic In 1996, The Internet Engineering Task Force
by some researchers. A recently published work (IETF) established a MANET workgroup (Macker
by Radosavac et al. (2006) is an advanced version & Chakeres, 2006), which goal is “to standardize
of the published work of Radosavac et al. in 2005. of the IP routing protocol functionality suitable for
The work studies the single-node attacks as well wireless routing applications.” Since then, some
as colluding attacks. routing protocols have been proposed particularly
Gupta et al. (2002) and Xu et al. (2005) studied for MANETs.
the DoS attacks at MAC layer and analyzed dif- AODV (ad hoc on-demand vector) (Perkins,
ferent attack models with their traffic patterns.
Belding-Royer, & Das, 2003) is a reactive rout-
Gupta et al. (2002) demonstrate simulation of IEEE ing protocol. In AODV, the node who needs to
802.11 protocol as well as emulation of a perfectly establish a route to another node will broadcast a
fair MAC (FAIRMAC) protocol in order to show route request (RREQ) message to its neighbors.
how the employment of MAC layer fairness can Each node that receives the message establishes
prevent or alleviate the effect of the DoS attacks. areverselinktowardtheoriginatoroftheRREQ,
The authors also show that many other factors unless such a link has already existed. Dynamic
such as location of the malicious node, availabil-
Security in Mobile Ad Hoc Networks
source routing (DSR) (Johnson, Maltz, & Hu, 2004) licious nodes establish a link via private network
is a protocol that uses source routing technique, connectionandforwardallthereceivedtraffict
in which the sender constructs a “source route” in eachother.Inthistypeofattackthenormalow fl
the packet’s header that gives the hosts on the path. of routing packets will be short-circuited, and a
Destination-sequenced distance-vector (DSDV) virtual vertex cut of nodes can be created in the
(Perkins & Bhagwat, 1994) is a proactive routing network that the attackers control.
protocol which maintains a routing table that lists An adversary can also mount a replay attack by
all possible destinations in the network as well as sending an old advertisement in an attempt to get
metric and next hop to the destination. other nodes to update its routing table with stale
These protocols are designed without security routes. Sequence number is usually used to prevent
concern in mind, and therefore are susceptible to packets from being repeatedly passed on.
various attacks. Denial-of-service (DoS) attack can be attempted
by injecting packets into the network which may
Attacks on MANET Routing cause excessive consumption of resources. One
special type of DoS attacks, jellyfishattacks (Aad
Aselfishormaliciousnodecandisrupt - routing
Hubaux, &ser Knightly, 2004), is to hold packets
vices passively or actively. Their purposes include unnecessarily for some amount of time before for-
selfish conservation of own resource,warding disruption them.Thejellyfishattackcancausehigh
of routing, excessive resource consumption, and end-to-end delay and delay jitter. Rushing attacks
so forth. (Hu, Perrig, & Johnson, 2003b) takes advantage of
A selfish node may refuse to participate in the suppression mechanisms that are used by on-
routing by simply discarding routing packets. demand routing protocols to prevent duplicate rout-
This attack is usually not defended against secure ing requests from being spread. The suppression
routing protocols in that the node can still fail to mechanismprocessesonlythefirstrequestwhile
forward data packets even if a path including the skipping the duplicate ones. All these attacks are
selfishnodehasbeenestablished.Toprevent difficultthis todetectinMANETsduetotheinherent
attack, some cooperation mechanisms have been volatility of the communication channels.
proposed, which will be discussed later. Besides failing to follow routing protocols,
A malicious node can maliciously advertise which is sometimes referred as routing attacks,
falsified routing information by tampering fields
an attacker may also target the data messages
such as source, destination, metric, and so forth. traversing an established path. A misbehaving
Forexample,anattackercanclaimfalsified short
node may maliciously alter or drop data packets in
distance information by advertising zero or a very transit, which is called packet forwarding attacks.
small metric in order to attract and later drop the These two types of attacks are different due to
trafficoriginallydestinedto othernodes
blackhole (
the differences of routing and data packets. Usu-
attack), or in order to include itself on the path so ally, routing packets are altered as they circulate
that it can analyze the communications. Another around the network (such as in metric field that
example is that an attacker can use forged routing states the shortest distance to destination). Thus
packets to create a routing loop, causing packets routing packets are mutable, and called hop-by-hop
to circulate in the network without reaching their transmission. The data packets are nonmutable,
destinations. This malicious attack should be because the data are not changed during trans-
distinguished from nodes unknowingly providing missionexcept ( for some particular fields in the
incorrect or obsolete routing information, which header) and therefore is end-to-end transmission.
may result from topology change. This is not a The integrity of the data packets can be protected
trivial task due to the nature of ad hoc networks. by traditional cryptographic operations, while
Another type of attack, wormhole attack (Hu, routing packets are hard to protect.
Perrig, & Johnson, 2003a), happens when two ma-
Security in Mobile Ad Hoc Networks
0
Security in Mobile Ad Hoc Networks
path, and decremented on a broken path. A node observations and reports by other nodes. It applies
calculates a path metric by averaging the node different weights to subjective reputation (obser-
ratings in the path. vations), indirect reputation (positive reputation
reported by others), and functional reputation
2. Another approach is to design protocols (the subjective and indirect reputation calculated
that stimulate cooperation by penalizing mis- with respect to different functions). At each node,
behavior or rewarding behavior of forwarding reputation values are stored in a reputation table,
for other nodes’ benefit. and a watchdog mechanism is used to detect mis-
Buttyan and Hubaux (2000, 2003) propose a behaving nodes.
protocol that can stimulate packet forwarding. It Sprite is a cheat-proof and credit-based system
requires a node to pass all packets to its security (Zhong, Chen, & Yang, 2003), which also requires
module, which maintains a counter called nuglet that nodes receive enough credits by forwarding
counter. The counter is decreased whenever the for other nodes to send their own packets. To prove
node sends a packet as the originator, and increased a node has received or forwarded a message, the
when the node forwards a packet for another node. node keeps a receipt of the message and uploads
Since the value of the counter must remain positive, the receipt to a credit clearance service (CCS).
a node needs to maintain a balance on the counter To motivate nodes to report receipts, CCS gives
byforwardingpacketsforthebenefitsofmore others
creditstoto a node that forwards a message
have its own packets to be sent. To prevent a node than to a node that does not. Proper actions are
from illegitimately increasing its own counter, the taken to prevent the cheating action. If a message
counter is required to be maintained by a trusted is not received by the destination, the credits to the
and tamper resistant hardware module (such as a intermediate nodes will be greatly reduced, and
Smart card). thereforethebenefitoffalselyreportingarecei
CONFIDANT (cooperation of nodes fairness in by an intermediate node will be reduced too. The
dynamic ad-hoc networks) (Buchegger & Boudec, approach needs a centralized trusted entity, which
2001, 2002a, 2002b) was proposed to detect, dis- is hard for MANETs.
courage and stop selfish misbehaviors. - CONFI
Some other interesting approaches that use
DANT consists of four components: a monitor to punishment or rewarding systems can be found
observe the neighborhood; a trust manager to deal by Mohan and Joiner (2004) and Salem, Buttyan,
with incoming and outgoing warning messages; a Hubaux, and Jakobsson (2003).
reputation system to maintain reputation records
based on own experiences, vicinity observations, 3. Game-theoretic techniques (Jones, 2000)
and reported records; and a path manager for nodes have also been used to develop protocols for
to adapt their behavior according to the reputa- stimulating cooperation (Anderegg & Eiden-
tion of a node or a path. CONFIDANT takes into benz, 2003; Srinivasan, Nuggehalli, Chiasserini,
consideration the problem of nodes providing false & Rao, 2003).
information to gain good reputation. With a proper These techniques assume that all nodes are self-
weightsystemandamodifiedBayesianestimation ish and rational, that is, they only do things that
procedure, the second-hand information can still are beneficial to themselves and their purpose
speed up the detection while suppressing false to maximize their own utility. Usually noncoop-
positives and negatives. The simulation results erative game model is used in these approaches.
show that the network performance can still be By means of imposing suitable costs on network
good even when half of the network population operation, the game reaches a stable state called
misbehaves. “Nashequilibrium”( Nash,where , ) 059 1 aselfish
CORE is a collaborative reputation mecha- node cannot gain an advantage over well-behaved
nism (Michiardi & Molva, 2002a). Similarly to nodes.
CONFIDANT, CORE also differentiates between
Security in Mobile Ad Hoc Networks
Anderegg and Eidenbenz (2003) provide a game prevent a malicious node from tampering a node
theoretic approach, which goal is to achieve truth- that has delays in receiving the newest key, by
fulness and cost-efficiency for routingmeans protocols
of using the newest key to forge packets
in MANETs. The approach pays the forwarding with valid authentication information. Authentica-
nodes a premium over their actual costs for for- tion techniques that use one-way hash chain keys
warding data packets. The authors show that the can tolerate packet loss and have the advantage of
total overpayment is relatively small. low overhead. TESLA has been adopted by many
Although protocols developed with game-theo- approaches to authenticate neighboring commu-
retic techniques may be resilient to misbehavior, nications in MANETs.
they may not achieve the same performance of Zhu, Xu, Setia, and Jajodia (2003) propose a
protocols developed under the assumption that all light-weight hop-by-hop authentication protocol
nodes are well-behaved. (LHAP), in which every node authenticates all the
packets received from neighbors before forward-
Authentication and key Management ing it. LHAP also uses one-way hash chain, like
in MAnEts TESLA, but it does not use delayed key disclosure.
LHAP uses TRAFFIC chain (a one-way hash chain)
Authentication and key management are essential to authenticate packets, and uses TESLA chain to
problems for MANET security. authenticate TRAFFIC keys. Security properties
and performance is analyzed. The analysis shows
Authentication in MANETs that LHAP is lightweight and practical.
Security in Mobile Ad Hoc Networks
for distribution of the private key, where the key However, Chan (2004) argues that although
is divided into n shares. Therefore, n parties are some protocols are fully distributed and self-or-
allowed to share the ability to perform a crypto- ganized without needing any trusted third party
graphic operation (e.g., creating a digital signature), (TTP), they are not robust to dynamic topology
and any t + 1 parties can perform the operation or sporadic links because they need the routing
jointly.Tosignacertificate,eachserver produces
structure that has been established initially.
apartialsignatureforthecertificateChan using itsproposes
(2004) sharea distributed symmetric
and submits the partial signature to a combiner key management scheme for MANETs, which uses
that can generate the entire signature. In this way, a fully distributed and self-organized key pre-dis-
the system can tolerate a certain number (t < n) of tribution scheme (DKPS) without relying on TTPs
compromised servers. or infrastructure support. The DKPS scheme has
A similar approach proposed by Kong, Zer- three phases, namely distributed key selection
fos, Luo, Lu, and Zhang (2001) provide a more (DKS), secure shared-key discovery (SSD), and
fair distribution by allowing each node to carry key exclusion property testing (KEPT). In the
a secret share. Any t + 1 nodes in the vicinity of DKS phase, each node randomly picks keys from
the requesting node can jointly provide complete the publicly known universal set to form its key
service, which increases availability and scalability ring, in which exclusion property will be ensured
of the service. However, this scheme is not secure to avoid collision. As soon as each node shares a
if an attacker can compromise arbitary t + 1 nodes common key with any other node, it enters the
and thus can collect enough shares and reconstruct SSD phase and broadcasts its key identifiers to
the system’s private key. others. To guarantee that the nodes can let each
According to Zhou and Haas (1999) and Kong other know which keys they are having in common
et al. (2001), a trusted authority is needed for without revealing the keys to others, the author
initialization of t + ,the
1 which is difficult proposes MRS modified
first ( Rivest’s scheme) and
in MANETs. In addition, it is still not clear how built SSD upon MRS. MRS is based on the work
to determine the number t initially and adapt t of Rivest, Adleman, and Dertouzos (1978), and is
based on n. a special class of encryption functions that allow
Capkun, Buttyan, and Hubaux (2003) propose operations on the encrypted data without needing
a fully self-organized public-key management knowledge of the decryption functions. In KEPT
system that does not require use of any trusted phase, a node tests whether its set of keys satisfy
authority even in the system initialization phase. the exclusion property.
Like PGP (pretty good privacy)(Zimmermann, CrepeauandDavisprovide ) 30 2 ( acertificate
1995), the scheme allows a node to create public and revocation scheme that can defend against attacks
privatekeysbyitself.Butthekeysandof certificates
maliciously accusing other nodes and using
are not stored in centralized certificate - revoked certificatetoaccessnetworkservices
reposito
ries. Instead, they can be stored at the nodes in a Many researchers are still making efforts to
fully distributed manner. When a node wants to find a secure yet cost-efficient key distribution
obtain the public key of another node, it acquires approach.
a chain of valid public-key certificates. The first
certificateofthechaincanbedirectly verified
Intrusion by
detection systems (Ids) for
using a trusted public key. Then each sequential MAnEts
certificate can be verified using the public key
containedinthepreviouscertificate ofthe
In the chain.
traditional Internet, network devices such
Thelastcertificatecontainsthepublic keyof
as routers, the and gateways can be used
switches,
target user. The system allows the nodes in the to monitor the traffic. Due to the lack of these
network to perform key authentication based only networkdevicesandafixedinfrastructure,intr
on their local information. sion detection in MANETs is more challenging
Security in Mobile Ad Hoc Networks
than that in the Internet. Moreover, the restriction agents; a local response module that triggers lo-
of resources again brings more difficulty cal to data
response actions; a global response module
analysis, which usually plays an important role that coordinates responses among neighboring
in intrusion detection. A comprehensive survey nodes; and a secure communication module that
on IDS for MANETs can be found by Avantvalee provides secure communication channels among
and Wu (2006). IDS agents. On the anomaly detection model,
An IDS for MANETs not only has the same two classification techniques, RIPPER(repeated
requirements as in the wired networks (such as incremental prunig to produce error reduction) and
reliability, minimal false positive and false nega- SVM (support vector machine) light, are applied
tive rates, transparency to system and users, etc.), to compute classifiers as anomaly detectors. The
but also requires low usage of system and network classifiers are used to detect anomaly updates
resources. Therefore, the design and development routing tables. The performances are evaluated and
of IDS for MANETs is not a trivial task. compared through simulations. The authors find
A simple solution for IDS in MANETs is that thatprotocolswithstrongtrafficcorrelation
each host relies on itself for detection, where the to have better detection performance.
audit data are gathered and processed locally. Some Kachirski and Guha (2003) propose an agent-
IDS proposed for MANETs use this solution of based IDS that uses multiple mobile sensors to de-
letting individual nodes to determine intrusions termine intrusions. The system assigns functional
independently in case the local evidence is strong. tasks different agents: a network monitoring agent
But many systems also allow a node to request to monitor network packets (only on certain nodes
complementary information from others so that to preserve resources); a host monitoring agent on
cooperation can be reinforced in case of weak or every node to monitor system and applications
inconclusive local evidence. level activities; a decision-making agent on every
Albers, Camp, Percher, Jouga, Me, and Puttini node to determine intrusions based on host-level
(2002) propose a local IDS (LIDS), which uses information, and on certain nodes to determine
several mobile agents on each node. All the LIDS network-level intrusions; and an action agent on
in a community can collaborate to alert each other every node to respond to intrusions. Similarly to
of intrusions. These data are independent from the two IDS described above, this system makes
operating system and need no additional resources intrusion decisions based on both independent and
for local information. A LIDS has several data collaborative monitoring, and the level of the moni-
collecting agents of different types: a local agent toring can be adapted according to the availability
that locally detects intrusions and responds to intru- of the computational and network resources.
sions; a collection of mobile agents that collect and Another intrusion detection technique is the dy-
process data from remote hosts; and a local MIB namic hierarchical intrusion detection architecture
agent that collects MIB (management information proposed by Sterne, Balasubramanyam, Carman,
base) variables for the mobile agents or the local Wilson, Talpade, Ko et al. (2005). The system
LIDS agent. The implementation of prototypes requires every node to monitor, log, analyze, and
was claimed by the authors, but the results are not respond to detected intrusions. It also uses clus-
demonstrated in the publication. tering to form a hierarchical structure. Different
A distributed intrusion detection model was nodes (e.g., leaf nodes and clusterhead nodes in
later proposed by Zhang, Lee, and Huang (2003). the structure) may perform different functions in
The model of the IDS agent is composed of six intrusion detections. This hierarchical structure
modules: a local data collection module that isadvantageousinmonitoringend-to-endtraffic
collects real-time audit data; a local detection and thus can help detect end-to-end attacks. The
engine that performs local anomaly detection; a system does not use promiscuous listening, which
cooperative detection engine that helps collabo- is arguably unrealistic for MANETs. However,
ration and collects broader data sets from other some researchers have also argued that a hierarchi-
Security in Mobile Ad Hoc Networks
cal architecture may not be suitable to MANETs information or evidence provided by peers, not
either, due to the rapid topology change of MANETs by trusted authorities or a central administration
and the high overhead introduced by organizing point (as in the Internet or wireless networks with
the hierarchy. base-stations). Additionally, the gathering of the
Sun, Wu, and Pooch (2003) propose a zone- trust evidence may be difficult due to the small
based IDS (ZBIDS). ZBIDS divides the network bandwidth, and therefore local information has to
into nonoverlapping zones. The nodes are cat- be relied on. Evaluation with uncertain and incom-
egorized into two types based on their locations plete trust evidence certainly poses challenges to
to a zone: intrazone nodes (within a zone and not trust management.
connected to nodes in another zone) and interzone Research progress has been made on au-
nodes (within a zone and connected to nodes in thentication and key management. But finding
another zone). Intrazone nodes are responsible cryptographic mechanisms that consume less
for local detection and broadcast in case of alerts. computational resources and impose lower time
Interzone nodes perform aggregation and correla- complexity is still a major research concern in
tion of these local detection results. The system can MANET security.
limit the detection cooperation in a zone, which AnotherproblemforMANETsecurityistofind
may reduce the overhead by the broadcast and ag- an effective and efficient approach intrusion for
gregation. However, the system requires that each response. Many publications simply mentioned
node know its physical location, which needs prior that proper actions should be taken to react to
design setup. The management of zones is not a intrusions, which may include alarming the other
trivial task either. nodes in the network, isolating the compromised
Intrusion detection has been a challenging task nodes, or re-establishing the trust relationship for
for MANETs, mainly due to the distribution na- the entire network. But the problem of how to locate
ture and resource constraints of ad hoc networks. and then isolate the compromised nodes is not dis-
To determine intrusions with local or incomplete cussed in details. The location and isolation could
information and with low overhead has been a be even more difficult when distributed attack
major concern for researchers. are launched from multiple sources. Eliminating
the compromised nodes by rekeying or rebuilding
the trust could be an effective solution. However,
oPEn cHAllEngEs And it is certainly not efficient taking into accou
conclusIon the computation and communication overhead it
may cause.
Some other unexplored research problems in-
challenges
clude the tradeoff between privacy (such as identity
anonymity and location privacy) and other security
The research in MANET security is still in its early
services (such as accounting and intrusion detec-
stage. Some areas that are interesting but little
tion), and the tradeoff between security strengths
explored include accounting, trust management,
and network performance.
authentication, and key management.
Yang et al. (2004) argue that MANET security
Accounting provides the method for collecting
needs a “multifence security solution,” namely re-
the information used for billing, auditing, and
siliency-oriented security design. They argue that
reporting. Accounting mechanisms can track the
the existing proposals are attack-oriented because
services that users are accessing as well as the
theprotocolstargetsomespecificattackthat
amount of network resources they are consuming.
beenidentifiedfirst.Theseprotocolsthereforema
Accounting is a challenging problem due to the
not work well in the presence of unanticipated
distributed and ephemeral nature of MANETs.
attacks. They propose that a security solution is
The characteristics of MANETs also bring
needed that can be embedded into every component
difficulty trust
to management. In MANETs,
or every layer in the network. The solution can
the trustworthiness is evaluated based on the
Security in Mobile Ad Hoc Networks
offer multiple lines of defense against many both International Workshop on Wireless Information
known and unknown security threats. Systems (WIS-2002) (pp. 1-12).
Besides problems described above, how to adapt
Anderegg, L., & Eidenbenz, S. (2003). Routing
the security mechanisms in a large-scale wireless
and forwarding: Ad hoc-VCG: A truthful and
network is also an interesting problem. The scal-
cost-efficient routing protocol for mobile ad hoc
ability of security mechanisms and the compro-
networks with selfish s. Inagent
Proceedings of
mise between security and network scalability
the th
9 Annual International Conference on Mobile
are certainly topics worth further research study.
Computing and Networking MobiCom ( San, ) 50
Diego, (pp. 245-259). ACM Press.
conclusion
Avantvalee, T., & Wu, J. (2006). A survey on in-
With the rapid proliferation of wireless networks trusion detection in mobile ad hoc networks. In Y.
and mobile computing applications, MANETs Xiao, X. Shen, & D. -Z. Du (Eds.), Wireless/mobile
have received increased attention. Security is an network security (pp. 170-196).
important feature for ad hoc networks, especially
Balfanz, D., Smetters, D.K., Stewart, P., & Wong,
inuntrustworthyenvironmentssuchasbattlefields.
H.C. (2002). Talking to strangers: Authentication in
Development of security solutions for ad hoc
ad-hoc wireless networks. Paper presented at the
networks has therefore become a major research
Symposium on Network and Distributed Systems
concern.
Security (NDSS ‘02), San Diego.
However, the characteristics of ad hoc networks
have not only introduced vulnerabilities to mali- Buchegger, S., & Boudec, J.L. (2001). Theselfish
cious attacks varying from passive eavesdropping node: Increasing routing security in mobile ad hoc
to active interfering, but also imposed networks difficulty
(IBM Research Report: RR 3354).
and challenges in introducing security features
to MANETs. Buchegger, S., & Boudec, J.L. (2002a) Nodes
This book chapter has discussed the security bearing grudges: Towards routing security, fair-
vulnerabilities, challenges, and security solu- ness, and robustness in mobile ad hoc networks. In
tions for MANETs. A variety of attacks and their Proceedings of the Tenth Euromicro Workshop on
countermeasureshavebeenidentified Parallel,
fordifferent Distributed and Network-based Process-
network operations, mechanisms, and network lay- ing, Canary Islands, Spain, (pp. 403-410). IEEE
ers. Existing research efforts as well as the open Computer Society.
challenges were discussed in the chapter. Buchegger, S., & Boudec, J.L. (2002b). Performance
analysis of the CONFIDANT protocol: Cooperation
of nodes - fairness in dynamic ad-hoc networks. In
rEfErEncEs Proceedings of IEEE/ACM Symposium on Mobile
Ad Hoc Networking and Computing (MobiHoc),
Lausanne, CH, (pp. 226-236). ACM Press.
Aad, I., Hubaux, J.-P., & Knightly, E.W. (2004).
Denial of service resilience in ad hoc networks. In Buttyán, L., & Hubaux, J.P.- .)02 ( Enforcing
Proceedings of the ACM International Conference service availability in mobile ad-hoc WANs.
on Mobile Computing and Networking (MobiCom In Proceedings of Workshop on Mobile Ad-hoc
2004), Philadelphia, (pp. 202-215). networking and Computing (MobiHOC), Boston,
(pp.. )69- 78
Albers, P., Camp, O., Percher, J., Jouga, B., Me, L.,
& Puttini, R. (2002). Security in ad hoc networks: A Buttyán, L., & Hubaux, J.P.- .)Stimulating
30 2 (
general intrusion detection architecture enhancing cooperation in self-organizing mobile ad hoc
trust based approaches. In Proceedings of the 1st networks. Mobile Networks and Applications,
8(5), 579-592.
Security in Mobile Ad Hoc Networks
Cagalj, M., Ganeriwal, S., Aad, I., & Hubaux, J.-P. Hu, Y.C., Perrig, A., & Johnson, D. (2003b). Rush-
(2004). On cheating in CSMA/CA ad hoc networks ing attacks and defense in wireless ad hoc network
(Tech. Rep. IC/2004/27, EPFL-DI-ICA). Lausanne, routing protocols. In Proceedings of ACM WiSe
Switzerland: Swiss Federal Institute of Technol- 2003, San Diego, (pp. 30-40). ACM Press.
ogy Lausanne.
IEEE. (1999). Standard for wireless LAN-medium
Capkun, S., Buttyan, L., & Hubaux, J.-P. (2003). access control and physical layer specification,
Self-organized public-key management for mobile P802.11.
ad hoc networks. IEEE Transactions on Mobile
Jha, S., Tan, K., & Maxion, R. (2001). Markov
Computing, 2(1), 52-64.
chains, classifiers, and intrusion detection. I
Chan, A.C.-F. (2004). Distributed symmetric Proceedings of the 14th IEEE Computer Security
key management for mobile ad hoc networks. In Foundations Workshop, Cape Breton, Nova Scotia,
Proceedings of the 23rd Annual Joint Confer- Canada, (pp. 206-219).
ence of the IEEE Computer and Communications
Johnson, D.B., Maltz, D.A., & Hu, Y. (2004). The
Societies (INFOCOM), Hong Kong, China, (pp.
dynamic source routing protocol for mobile ad hoc
2414-2424). IEEE.
networks (DSR). INTERNET DRAFT, MANET
Crepeau,C.,&Davis,C.R..A) 302 ( certificate working group. Retrieved November 17th, 2006,
revocation scheme for wireless ad hoc networks. from http://www.ietf.org/internet-drafts/draft-ietf-
In Proceedings of the 1st ACM Workshop Security manet-dsr-10.txt
of Ad Hoc and Sensor Networks, Fairfax, Virginia,
Jones, A. (2000). Game theory: Mathematical
(pp. 54-61). ACM Press.
models of conflict(pp. 210-236). Horwood Pub-
Gupta, V., Krishnamurthy, S., & Faloutsos, M. lishing.
(2002). Denial of service attacks at the MAC layer
Kachirski, O., & Guha, R. (2003). Effective intru-
in wireless ad hoc networks. In Proceedings of
sion detection using multiple sensors in wireless ad
MILCOM.
hoc networks. In Proceedingsofthe6th 3 Annual
Hu, Y.C., Johnson, D., & Perrig, A. (2002). SEAD: Hawaii International Conference on System Sci-
Secureefficientdistancevectorrouting encesfor mobile(pp. 57.1-57.8). IEEE.
(HICSS’03)
wireless ad hoc networks. In Proceedings of the
Kong, J., Zerfos, P., Luo, H., Lu, S., & Zhang, L.
4th IEEE Workshop on Mobile Computing Systems
(2001). Providing robust and ubiquitous security
and Applications (WMCSA ’02), Callicoon, New
support for mobile ad hoc networks. In Proceedings
York, (pp. 3-13).
of the th9 International Conference on Network
Hu, Y.C., Perrig, A., & Johnson, D. (2002). Ari- Protocols (ICNP) (pp. 251 - 260). ACM Press.
adne: A secure on-demand routing protocol for
Konorski, J. (2001). Protection of fairness for
ad hoc networks. In Proceedings of the 8th ACM
multimedia traffic streams in a non-cooperative
International Conference on Mobile Computing
wireless LAN setting. Paper presented at PROMS
and Networking (MobiCom), Atlanta, Georgia,
(LNCS 2213, pp. 116-129). Springer.
(pp. 12-23). ACM Press.
Konorski, J. (2002). Multiple access in ad-hoc wire-
Hu, Y.C., Perrig, A., & Johnson, D. (2003a). Packet
less LANs with noncooperative stations. Network-
leashes: A defense against wormhole attacks in
ing (LNCS 2345, pp. 1141-1146). Springer.
wireless ad hoc networks. In Proceedings of the
Twenty-Second Annual Joint Conference of the Kyasanur, P., & Vaidya, N.H. 20.5)( Selfish
IEEE Computer and Communications Societies MAC layer misbehavior in wireless networks.
(INFOCOM 2003) (pp. 1976-1986). IEEE. IEEE Transactions on Mobile Computing, 4(5),
502-516.
Security in Mobile Ad Hoc Networks
Lu, B., & Pooch, U.W. (2005). A lightweight au- Distributed Systems Modeling and Simulation
thentication protocol for mobile ad hoc networks. Conference (CNDS 2002), San Antonio, TX.
In Proceedings of the International Conference
Perkins, C.E. (Ed.). (2001). Ad hoc networks. Upper
on Information Technology: Coding and Comput-
Saddle River, NJ: Addison-Wesley.
ing (ITCC’0, ) 5 Las Vegas, (pp. 546-551). ACM
Press. Perkins, C.E., Belding-Royer, E.M., & Das, S.R.
(2003). Ad hoc on-demand distance vector (AODV)
Mackenzie, A.B., & Wicker, S.B. (2000). Game
routing. InternetrequestforcommentsRFC. 1 6 5 3
theory and the design of self-configuring, - adap
Retrieved November 17th, 2006, from http://www.
tive wireless networks. IEEE Communications
ietf.org/rfc/rfc3561.txt.
Magazine,93 (11), 126-131.
Perkins, C.E., & Bhagwat, P. (1994). Highly dynam-
Mackenzie, A.B., & Wicker, S.B. (2003). Stability
ic destination-sequenced distance-vector routing
ofmultipacketslottedalohawithselfishusersand
(DSDV)formobilecomputers. Paper presented at
perfect information. In Proceedings of Infocom
the ACM Conference on Communications Architec-
2003, San Francisco, (pp. 1583 -1590). IEEE.
tures, Protocols and Applications (SIGCOMM ‘94)
Macker, J., & Chakeres, I. (2006). Mobile ad-hoc London, (pp. 234-244). ACM Press.
networks (MANET). Retrieved November 17th,
Perrig, A., Canetti, R., Song, D., & Tygar, D.
2006, from http://www.ietf.org/html.charters/ma-
Efficient
. ) 1 02 ( andsecuresourceauthentication
net-charter.html
for multicast. In Proceedings of Network and Dis-
Marti, S., Giuli, T., Lai, K., & Baker, M. (2000). tributed System Security Symposium (NDSS’01),
Mitigating routing misbehavior in mobile ad hoc San Diego, CA, (pp. 35-46).
networks. In Proceedings of the 6th ACM-Inter
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2000)
national Conference on Mobile Computing and
Efficient authentication and signing of multicas
Networking MobiHoc’0
( , ) 5Urbana Champaign,
streams over lossy channels. In Proceedings of
IL, (pp. 255- 265). ACM Press.
IEEE Symposium on Security and Privacy, Berke-
Michiardi, P., & Molva, R. (2002a). CORE: A ley, CA, (pp. 56-73). IEEE
collaborative reputation mechanism to enforce
Perrig, A., Canetti, R., Tygar, D., & Song, D. (2002,
node cooperation in mobile ad hoc networks.
Summer). The TESLA broadcast authentication
Paper presented at the Sixth IFIP Conference on
protocol. RSACryptoBytes, 5
, 2-13.
Security Communications, and Multimedia (CMS
2002), Portoroz, Slovenia. Radosavac, S., Baras, J.S., & Koutsopoulos, I.
(2005). A framework for MAC protocol misbehav-
Michiardi, P., & Molva, R. (2002b). Game theoretic
ior detection in wireless networks. Paper presented
analysis of security in mobile ad hoc networks
at the Wireless Security Workshop (WiSe ‘05),
(Tech. Rep. RR-02-070). Institut Eurecom.
Cologne, Germany, (pp. 33-42).
Mohan, M., & Joiner, L.L. (2004). Solving bill-
Radosavac, S., Cardenas, A., Baras, J.S., &
ing issues in ad hoc networks. In Proceedings of
Moustakides, G. (2006). Detecting IEEE 802.11
ACMSE ’04, Huntsville, AL, (pp. 31-36). ACM
MAC layer misbehavior in ad hoc networks: Ro-
Press.
bust strategies against individual and colluding
Nash, J. (1950). The bargaining problem. Econo- attacker. Journal of Computer Security: Special
metrica, 18, 155-162. The Econometric Society. Issue on Security of Ad Hoc and Sensor Networks
5 1 (2007), 103-128.
Papadimitratos, P., & Haas, Z.J. (2002). Secure
routing for mobile ad hoc networks. Paper pre- Raya, M., Hubaux, J.-P., & Aad, I. (2004). DOM-
sented at the SCS Communication Networks and INO: A system to detect greedy behavior in IEEE
Security in Mobile Ad Hoc Networks
802.11hotspots. In Proceedings of the Second (WiSe ) 30‘ in conjunction with the th 9 Annual
International Conference on Mobile Systems, Ap- International Conference on Mobile Computing
plications, and Services (MobiSys ‘04), Boston, and Networking (MobiCom ‘03), San Diego, (pp.
MA, (pp. 84-97). 69-78). ACM Press.
Rivest, R.L., Adleman, L., & Dertouzos, M.L. Venkatraman, L., & Agrawal, D. (2000). A novel
(1978). On data banks and privacy homomorphisms authentication scheme for ad hoc networks. Paper
(pp. 169-179). Foundations of secure computation. presented at the IEEE Wireless Communications
Academic Press. and Networking Conference (WCNC 2000), Chi-
cago, IL, (Vol. 3, pp. 1268-1273). IEEE.
Salem, N.B., Buttyan, L., Hubaux, J.-P., & Ja-
kobsson, M. (2003). A charging and rewarding Weimerskirch, A., & Thonet, G. (2001). A distrib-
scheme for packet forwarding in multi-hop cel- uted light-weight authentication model for ad-hoc
lular networks. In Proceedings of MobiHoc’03, networks. In Proceedings of 4th International
Annapolis, MD, (pp. 13-24). ACM Press. Conference on Information Security and Cryp-
tology (ICISC 2001), Seoul, Korea, (pp. 341-354).
Sanzgiri, K., Dahill, B., Levine, B.N., Shields, C.,
ACM Press.
& Royer, E.M. (2002). A secure routing protocol for
ad hoc networks. In Proceedings of the 10th IEEE Xu, W., Trappe, W., Zhang, Y., & Wood, T. (2005).
International Conference on Network Protocols The feasibility of launching and detecting jamming
(ICNP’02), Paris, (pp. 78-87). IEEE. attacks in wireless networks. In Proceedings of the
Sixth ACM International Symposium on Mobile Ad
Song, N., Qian, L., & Li, X. .)052 ( Wormhole
HocNetworkingandComputingMobiHoc ( , ) 5 0‘
attacks detection in wireless ad hoc networks: A
Urbana Champaign, IL, (pp. 48-57). ACM Press.
statistical analysis approach. In Proceedings of
th
91 IEEEInternationalParallelandDistributed Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
ProcessingSymposium(IPDPS, ) 50‘ Denver, CO, Security in mobile ad hoc networks: Challenges
(pp. 289-296). and solutions. IEEE Wireless Communications,
11(1), 38-47.
Srinivasan, V., Nuggehalli, P., Chiasserini, C.F., &
Rao, R.R. (2003). Cooperation in wireless ad hoc Zapata, M.G. (2006). Secure ad hoc on-demand
networks. In Proceedings of IEEE INFOCOM, distance vector (SAODV) routing. INTERNET
San Francisco, (pp. 808-817). DRAFT, MANET working group. Retrieved De-
cember 12th, 2006, from http://www.ietf.org/inter-
Stajano, F., & Anderson, R.J. (1999). The resur-
net-drafts/draft-guerrero-manet-saodv-06.txt.
recting duckling: Security issues for ad-hoc wire-
less networks. In B. Christiano, B. Crispo, & M. Zhang, Y., Lee, W., & Huang, Y. (2003). Intrusion
Roe (Eds.), Security Protocols, 7th International detection techniques for mobile wireless networks.
Workshop Proceedings (LNCS, vol. 1796, pp. Wireless Networks JournalACM ( WINET)
(5),, 9
172-194). 545-556. ACM/Kluwer Press.
Sterne, D., Balasubramanyam, P., Carman, D., Zhong, S., Chen, J., & Yang, Y.R. (2003). Sprite: A
Wilson, B., Talpade, R., Ko, C., et al. (2005). A simple, cheat-proof, credit-based system for mobile
general cooperative intrusion detection architec- ad-hoc networks. In Proceedings of IEEE Infocom,
ture for MANETs. In Proceedings of the 3rd IEEE San Francisco, (pp. 1987-1997). IEEE.
International Workshop on Information Assurance
Zhou, L., & Haas, Z. (1999). Securing ad hoc
(IWIA, ) 50‘ Oahu, HI, (pp. 57-70).
networks. IEEENetwork,6 (13), 24-30.
Sun, B., Wu, K., & Pooch, U.W. (2003). Alert aggre-
Zhu, S., Xu, S., Setia, S., & Jajodia, S. (2003).
gation in mobile ad hoc networks. In Proceedings
LHAP: A lightweight hop-by-hop authentication
of the 2003 ACM Workshop on Wireless Security
Security in Mobile Ad Hoc Networks
protocol for ad-hoc networks. In Proceedings of MANET (mobile ad hoc network): An infra-
23rd International Conference on Distributed structure-less, self-organizing network of mobile
Computing Systems Workshops (ICDCSW ‘03), hosts connected with wireless communication
Providence, RI, (pp. 749-755). IEEE. channels.AMANETdoesnothaveafixedtopology
because all the hosts can move freely, which results
Zimmermann, P. (1995). The official PGP user’s
in rapid and unpredictable topology change.
guide. MIT Press.
Medium Access Control (MAC): A sublayer
ofthedatalinklayerspecifiedintheseven-layer
OSI (open systems interconnection) model. It ad-
kEy tErMs dresses problems of moving data frames across a
shared channel.
Authentication: The processes of verifying
the identity of an entity if it is indeed the entity it Routing: The process of selecting paths in a
declares to be. network along which to send data packets.
Intrusion Detection: The techniques or pro- Security: The concepts, measures, or processes
cesses of detecting inappropriate, incorrect, or of protecting data from unauthorized access or
anomalous activities. disruption.
Key Management: The techniques or processes
of creating, distributing, and maintaining a secret
key, which will be used to protect the secrecy of End notE
communications or to ensure the original data are
not maliciously altered.
1
Signal jamming can also be launched at physi-
cal layer, but it is not within the scope of this
chapter because it is more related to electrical
engineering than computer security.
0
Chapter XXVII
Privacy and Anonymity in
Mobile Ad Hoc Networks
Christer Andersson
Combitech, Sweden
Leonardo A. Martucci
Karlstad University, Sweden
Simone Fischer-Hübner
Karlstad University, Sweden
AbstrAct
Providing privacy is often considered a keystone factor for the ultimate take up and success of mobile ad
hoc networking. Privacy can best be protected by enabling anonymous communication and, therefore,
this chapter surveys existing anonymous communication mechanisms for mobile ad hoc networks. On
the basis of the survey, we conclude that many open research challenges remain regarding anonymity
provisioning in mobile ad hoc networks. Finally, we also discuss the notorious Sybil attack in the context
of anonymous communication and mobile ad hoc networks.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Privacy and Anonymity in Mobile Ad Hoc Networks
communication mechanisms, to, for instance, en- This chapter is structured as follows. First, an
able pseudonymous applications. introduction to privacy, anonymity, and anonymity
This chapter investigates how anonymous metrics is provided in “Background.” Then, exist-
communication can be enabled in mobile ad hoc ing approaches for enabling anonymity in ad hoc
networks (Corson & Macker, 1999); networks networks are described in “Anonymous Commu-
constituted by mobile platforms that establish nication in Mobile Ad Hoc Networks.” In “Survey
on-the-yfl wirelessconnectionsamongthemselves of Anonymous Communication Mechanisms for
and ephemera networks without central entities to Ad Hoc Networks” these approaches are evaluated
control it. They are of great importance as they against the aforementioned requirements. Then,
constitute a basic core functionality needed for de- Sybil attacks in the context of anonymous commu-
ploying ubiquitous computing. In short, ubiquitous nication and mobile ad hoc networks are discussed
computing would allow for computational envi- in “Future Trends.” Finally, conclusions are drawn
ronments providing information instantaneously in “Conclusions.”
through “invisible interfaces,” thus allowing
unlimited spreading and sharing of information.
If realized, ubiquitous computing could offer an bAckground
invaluable support for many aspects of our society
and its institutions. However, if privacy aspects are In this section, the concepts of privacy and anonym-
neglected, there is a great likelihood that the end ity and their relation are introduced. Methods for
product will resemble an Orwellian nightmare. quantifying anonymity are also discussed.
In this chapter, we study how privacy and
anonymity issues are tackled today in mobile ad Definitions of Anonymity and Related
hoc networks by surveying existing anonymous concepts
communication mechanisms adapted for mobile
ad hoc networks1. Only recently, a number of such PfitzmannandHansendefine 0 2 6) ( anonymity as
proposals have been suggested. In the survey, we “thestateofbeingnotidentifiablewithinaset
evaluate some of these approaches against a set subjects, the anonymity set” (p. 6). The anonymity
of general requirements (Andersson, Martucci, set includes all possible subjects in a given scenario,
& Fischer-Hübner, 2005), which assess to which such as possible senders of a message.
degree these approaches are suitable for mobile Related to anonymity is unlinkability, where
ad hoc networks. We also discuss Sybil attacks unlinkability of two or more items of interest (IOIs,
(Douceur, 2002) in the context of anonymous com- e.g., subjects, messages, events, actions, etc.) means
munication and mobile ad hoc networks. that within the system (comprising these and pos-
Figure 1. Unlinkability between a user in the anonymity set and an item of interest
Messages
Privacy and Anonymity in Mobile Ad Hoc Networks
FigureSetting
2. apathbetweenAandD(throughBandC)usinglayeredBencryption; and PKC are PK
the public keys of B and C. KAB and KAC are shared symmetric keys. D is an external receiver
A B:
EPKC{D, KAC}
C learns D
A B C D
sibly other items), from the attacker’s perspective, and a symmetric key shared with the initiating
these items of interest are no more and no less node (see Figure 2). In this way, expensive public
related after his observation than they are related key encryption is only used for constructing the
concerninghisa-prioriknowledge.(Pfitzmann & data delivery symmetric encryption is
path; for
Hansen, 2006, p. 8) used. Messages encrypted in layers are often de-
Anonymitycanbedefinedintermsof - unlink
noted message onions. Layered encryption enables
ability: sender anonymity entails that a message anonymity as intermediary nodes do not know
cannot be linked to the sender, while receiver whether their predecessor and successor nodes are
anonymity implies that a message cannot be linked the sender or receiver, respectively.
to the receiver (see Figure 1). Analternativeapproach,firstappliedinCrowds
In traditional networks, such as the Internet, (Reiter & Rubin, 1997), is to let the sender select
anonymous communication is often realized by itssuccessorrandomly,whichinturnflipsabiased
anonymous overlay networks, which establish vir- coin to decide whether it should end the path and
tual paths consisting of one or more intermediary connect to the receiver, or extend the path to a
nodes, along which packets are transmitted. Using random node. The flipping of the biased coin is
methods described below, the anonymous overlay repeated until a node decides to connect to the re-
network constructs the paths in such a manner that ceiver (see Figure 3). In this approach, link-to-link
the correlation between the sender and receiver, encryption between intermediary hops in the path
and possibly also the identity of the sender and/or is usually combined with end-to-end encryption.
the receiver, is hidden. This approach enables sender anonymity towards
A classic method enabling anonymity, where network nodes and the receiver, as neither of these
the sender determines the full path, is layered nodes can deduce if the previous node in the path
encryption2: a message is wrapped into several is the sender.
encryption layers. As the message propagates the Another method specifically tailored - for pro
network, these layers are sequentially decrypted viding receiver anonymity is invisible implicit
by each successive node in the path, until the re- addressing(PfitzmannWaidner,
& Invisible
. )7 8 9 1
ceiverdecryptsthefinallayer.Eachlayer usually
implicit addressing hides the identity of the receiver
includes the identity of the next node in the path byfirstencryptingamessageor ( apartofit)with
Privacy and Anonymity in Mobile Ad Hoc Networks
the receiver’s public key (or a shared symmetric less the right to informational self-determination
key). Instead of sending the message directly to is affected. Art. 6 (1) of the EU Data Protection
the receiver, the message is then broadcasted to Directive 95/46/EC embodies the principle of data
all nodes in the network, which all must try to minimization by stating that personal data should
decrypt the message. However, only the intended be limited to data that are adequate, relevant, and
receiver will be able to successfully decrypt the not excessive, and by requiring that data should
message. onlybekeptinaformthatpermitsidentification
of data subjects for no longer than it is necessary
on the relation between Privacy and for the purpose for which the data were collected
Anonymity or for which they are further processed. Conse-
quently, technical tools such as privacy-enhancing
Privacy is recognized either explicitly or implicitly technologies should be available to contribute to
as a fundamental human right by most constitutions the effective implementation of these requirements
of democratic societies. Privacy can be by defined
providing anonymity and/or pseudonymity for
as the right to informational self-determination, the users and other concerned individuals.
that is, individuals must be able to determine for More specific legal requirements - for anony
themselves when, how, to what extent, and for mization can also be found in the E-Communica-
what purpose personal information about them is tions Privacy Directive 2002/58/EC: Pursuant to
communicated to others. Art.9 of the Directive: location data may only be
In Europe, the right for privacy of individuals processed when they are made anonymous, or with
is protected by the by a legal framework mainly the consent of the user or subscriber to the extent
consisting of the EU Data Protection Directive and for the duration necessary for the provision of
46/95 EC, which defines general privacy re - a value-added service.
quirements, and the E-Communications Privacy
Directive/8EC, 5 02 whichspecificallyapplieson Measuring Anonymity
for personal data processing within the electronic
communication sector. This section discusses anonymity metrics, which
An important privacy principle is data minimi- quantify the degree of anonymity in a given sce-
zation, stating that the collection and processing nario in the following manner. First, the given
of personal data should be minimized. Clearly, the attacker model, together with the properties of the
less personal data are collected or processed, the anonymous communication mechanism, are passed
Privacy and Anonymity in Mobile Ad Hoc Networks
A classic indicator of anonymity is the size of the anonymity set. This metric is appropriate for mechanisms in which all users are equally likely
to be the sender of a particular message, as in the DC-networks (Chaum, 1988) or Crowds, regarding the Web server (Reiter & Rubin, 1997).
K-anonymity
If a mechanism provides k-anonymity (Sweeney, 2002), k constitutes a lower bound of the anonymity set size n. For example, k = 3 implies that
an attacker cannot exclude more than (n −3 ) users from the anonymity set.
Crowds-based metric
In the Crowds-based metric3 (Reiter & Rubin, 1997), anonymity is measured on a continuum, including the points possible innocence (the
probability that a user is not the sender is not negligible), probable innocencethe
( probabilitythatauserisasender
beyondand
,)/12≥ suspicion
(the user is not more likely than any other user to be the sender). The analysis is based on the communication patterns in Crowds, and the result
is a probability depending on the anonymity set size and the number of corrupted users.
Entropy-based metrics
as input to the anonymity metric. Then, the metric In reactive routing protocols (Perkins, 2001),
determines the degree of anonymity based using routes between nodes are established on demand,
for example, analysis or by simulation, depending meaning that less packets are circulated in the
on the metric at hand. In Table 1, we summarize network, for example, for status sensing. Also
the most common anonymity metrics. standard reactive routing protocols fail to enable
Although the metrics listed above differs in anonymity. As a proof of concept, consider the
many respects, the main parameters contributing reactive protocols dynamic source routing (DSR)
to the degree of anonymity in all metrics are size of (Johnson & Maltz, 1996) and ad hoc on-demand
anonymity set (anonymity set size and k-anonym- distance vector routing (AODV) (Perkins & Royer,
ity), probability distributions (entropy-based metric 1999).
by Diaz et al.), and both (entropy-based metric
by Serjantov and Danezis and the Crowds-based In DSR, during route discovery4 the route
•
metric). request (RREQ) includes the IP addresses
of the sender and receiver in plain. The IPs
Anonymous Communication in Mobile are also disclosed by the route reply (RREP)
Ad Hoc Networks message. During data transfer, the path be-
tween the sender and receiver is included in
In proactive routing protocols (Perkins, 2001), each plain in the packet headers.
node always maintains routes to all other nodes, • AlsoinAODV,theRREQandRREPmes -
including nodes to which no packets are being sages disclose the sender and receiver IP
sent. Standard proactive protocols do not enable addresses. Also, routing data at each node
anonymityasallnodesknowsignificantamounts in an active path discloses the receiver IP.
of information about other nodes.
Privacy and Anonymity in Mobile Ad Hoc Networks
This situation applies for virtually any standard anonymity is enabled by invisible implicit ad-
routing protocol. So far, two methods for enabling dressing, meaning in this context that a challenge
anonymous communication in mobile ad hoc net- is included in the RREQ that only the receiver
works have been proposed: anonymous routing can decrypt5 .
protocols and anonymous overlay networks. They The main disadvantage with invisible implicit
are explained in the next sections. addressing is that all nodes receiving the RREQ
must try to decrypt the challenge, resulting in
Anonymous routing Protocols considerable overhead especially ( as the RREQ
reaches all nodes). When the RREP is propagated
An anonymous routing protocol replaces the stan- back to the sender on the path created by the
dard routing protocol with a protocol preserving corresponding RREQ message, visible implicit
anonymity (see Figure 4). Anonymous routing addressing(PfitzmannWaidner,
& is
7)89 1 often
protocols normally include building blocks for used to hinder nodes other than the sender from
anonymous neighborhood authentication, anony- matching RREP messages with corresponding
mous route discovery, and anonymous data trans- RREQmessages.Thisisoftenenabledby - includ
fer.Thefirstphaseisnotalwaysincluded; ing sequencenumbersintheRREPandRREQso
instead
many approaches assume that other mechanisms that only the sender can conclude that the sequence
offer this service. number of a given RREP corresponds to an earlier
During anonymous neighborhood authentica- sentoutRREQ.
tion, nodes establish trust relationships with their During anonymous data transfer, data mes-
neighbors (i.e., nodes within one-hop distance). sages are sent along the paths created during route
“Trust” implies that the nodes prove mutual posses- discovery. Only protocols that use source routing
sionofsomevalididentifiers,suchascertificates, can apply layered encryption, as the sender in this
pseudonyms, public/private key-pairs, or combina- case needs to decide the full path. Else, link-to-link
tions thereof. encryption, possibly combined with end-to-end
The task of anonymous route discovery is to encryption, is normally used.
establish an anonymous path between the sender
and receiver. Sender anonymity is often achieved
through layered encryption. Sometimes, receiver
FigureAnonymous
5. overlaynetwork
Figure 4. Anonymous routing protocol
Source Dest. App.
App. Layer
Source Dest.
Layer
Virtual Path
Overlay
Layer
Trans.
Layer Transp.
Layer
Net- Anonymous
Network
work Routing Protocol Layer
Layer
Privacy and Anonymity in Mobile Ad Hoc Networks
Table 2. Pros and cons with anonymous routing protocols and anonymous overlay networks
Advantages with Anonymous Routing Protocols
They make it possible to control already on the routing level what information is being disclosed during routing. Yet, this does not
exclude the possibility that additional efforts may be needed in upper layers. Also, most approaches use the shortest path between
the sender and receiver.
Disadvantages with Anonymous Routing Protocols
The replacement of the standard routing protocol; this will likely decrease the user base, which degrades anonymity according
to many metrics. Besides, nodes may be exposed if a connection-oriented transport layer is used above the anonymous routing
protocol, as they establish direct connections between nodes.
Advantages with Anonymous Overlay Networks
Flexibility; an anonymous overlay network is independent of the routing protocol and, further, compatible with applications expecting
services from for example, a reliable transport layer.
Disadvantages with Anonymous Overlay Networks
The performance can be expected to be slightly worse as messages are detoured through a set of overlay nodes, instead of being
transmitted on the shortest route between the sender and recipient.
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
The RREP is created as a message onion. During be build for the reply).
datatransfer,itisnotspecifiedwhether ornotANODR
R1. Discount the can be expected to scale
data payload is encrypted. well. However, the bias of the coin flipping
R1. It is unclear how senders and receivers share may have to be adapted if the geographical
symmetric keys. Given that they share a size of the network increases.
key,tosolvethechallengeintheRREQ, R2.the Discount ANODR provides sender anonymity
receiver againstlocalobservers,asthecoinflipping
may have to try all keys shared with other and random padding during route discovery
nodes (see R4). Further, other network nodes confuse observers to a certain degree. No
must try all their shared keys to conclude that receiver anonymity.
they are not the intended receiver. Data messages are padded with random
R2. ANODR offers sender and receiver ano- bits.
nymity against observers, path insiders, R3. There are no special nodes and no public
and networks nodes. Senders and receivers encryption on behalf of other nodes.
are not mutually anonymous. ANODR uses R4. Discount ANODR avoids public key encryp-
traffic mixing to thwart observers, where tion and invisible implicating addressing.
messages are independently and randomly Thecoinflippingmaydegradeperformance
delayed.Yet,trafficpattersareleaked asas onlyon the shortest path may drop the
nodes
nodes assumed to forward the RREP does so. RREQ,resultinginnonoptimalpaths.Also,
Further, as the payload of data messages is RREP packets can be lost for the same
not altered at intermediary hops, it is trivial reason. Unidirectional paths also hamper
foraglobalobservertotracedatatraffic. performance.
R3. Each node must spend considerable resources R5. The nodes have to collectively administrate
whenforwardingRREQpackets. two values determining the bias of the coins
R4. There are serious performance issues in deciding whether a node should forward a
ANODR (see R1). RREQandaRREP,respectively.
Although ANODR has performed reasonably R6. Discount ANODR rebuilds broken paths, but
well in a simulation scenario, problems can does not discuss how to collectively adapt the
be expected in a real world scenario. bias of the coin flipping when the network
R5. No special nodes are needed, and thus AN- characteristics change.
ODR adheres well to the P2P paradigm.
R6. ANODR supports path rebuilding in case of
broken paths. However, it is unclear how new Anonymous routing Protocol for Mo-
nodes should share symmetric keys with old bile Ad Hoc networks (ArM)
nodes
ARM (Seys & Preneel, 2006) aims to foil global
observers by using random time-to-live values and
discount Anonymous on-demand padding for all messages. Senders and receivers
routing (discount Anodr) share one-time pseudonyms. Invisible implicit ad-
dressing hides the receiver by including the secret
Discount ANODR (Yang, Jakobsson, & Wetzel, pseudonymintheRREQ.TheRREPiscreatedas
2006) is a low-latency source routing protocol that a message onion. Link-to-link encryption is used
avoids invisible implicit addressing. A random time for data transfer.
tolivecounterisusedforRREQ/RREPmessages R1. As a tight synchronization scheme is used
to confuse observers implemented ( by flipping
between sender and recipients, it is assumed
a biased coin). Data are sent as message onions that senders shares keys and pseudonyms
along unidirectional paths (i.e., a new path must
0
Privacy and Anonymity in Mobile Ad Hoc Networks
with a limited set of receivers. nodes in the network, the more generated
R2. ARM offers sender and receiver anonymity RREQpackets.
against networks nodes, path insiders, and R2. Senders and receivers are not mutually anony-
observers. Senders and receivers have an a- mous as they have an a-priori relationship.
priori relationship. In ARM, data messages Anonymity is offered against path insiders
haveauniformsize,RREQ/RREPmessages and network nodes, and ASRP alters message
arerandomlypadded,andRREQ/RREP/data appearance and maintains a uniform message
messages are propagated using random time- size to confuse attackers.
to-live values. The effectiveness of this lim- R3. Allnodesspendsignificantresourceswhen
iteddummytrafficisnotformallyproven. forwarding RREQ and RREP packets. For
R3. While no nodes perform public key operations, theRREQ,seeR1For . propagationofRREP
the amount of nodes forwarding RREQ/ packets, all nodes on the path must perform
RREP and data messages increases due to three public key operations (one private
the random time-to-life values. key decryption and two public key encryp-
R4. If assuming a static environment, there tions).
are no conclusive arguments orthogonal to R4. The performance of ASRP has not been
performance. However, all nodes in ARM simulated. Route discovery can be expected
generateoverheadtraffic. to offer a low performance, as public key
ARM has not yet been simulated to assess encryption is extensively used.
the performance. R5. No special nodes are needed, and thus ASRP
R5. There are no special nodes in ARM. In a real adheres to the P2P paradigm.
world scenario, central infrastructure may be R6. Path rebuilding in case of broken paths is not
required to realize the assumption that each considered. This means that the expensive
nodeshouldpossessauniqueidentifier; routeit is
discovery process has to be initiated
unclear how this would clash with the P2P for each case of path failure.
paradigm.
R6. The assumption that each node establishes a Privacy Preserving routing (PPr)
broadcast key with its neighbors is problem-
atic when considering dynamic topologies. PPR (Capkun, Hubaux, & Jakobsson, 2004) is a
Further, ARM does not consider path rebuild- proactive protocol for communication between
ing in case of broken paths. ad hoc networks interconnected access by fixed
points (AP). Nodes know each other by temporal
distributed Anonymous secure rout- pseudonyms. In the sender network, nodes main-
ing Protocol (AsrP) tain the shortest path to the AP. In the receiver’s
network, the AP maintain the shortest paths to
ASRP (Cheng & Agrawal, 2006) is a routing pro- the nodes. Routing consists of three parts: uplink
tocol not based on source routing where nodes are (distance vector protocol), inter-station, and down-
known by dynamic random pseudonyms. Invisible link (source routing). In uplink, a sender sends a
implicit addressing (based on public encryption) is message that reaches the AP as a message onion.
usedforbothRREQandRREPpackets.Data - mes
In downlink, the receiver’s AP send an onion to
sages are link-to-link and end-to-end encrypted. It the receiver.
isnotspecifiedwhetherthepathsareR1. bidirectional
The AP and the CA are the major points of
or unidirectional. workload aggregation in PPR, but as these
R1. All nodes in the network must perform two are centrally offered services, PPR can be
publickeyoperationsperRREQone ( private expected to scale well.
key decryption and one public key genera- R2. PPR offers sender and receiver anonymity
tion). This hampers scalability as the more
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
Table5.Summaryofsurveyresults(left)andsummaryofanonymityrequirementR2(right)
Privacy and Anonymity in Mobile Ad Hoc Networks
Privacy and Anonymity in Mobile Ad Hoc Networks
threat to all computer networks, including mobile ad Douceur, J. R. (2002). The Sybil attack. In P.
hoc networks. We expect that the area of enabling Druschel, F. Kaashoek, & A. Rowstron (Eds.),
reliableidentifiersinaprivacy-friendly mannerSystems:
Peer-to-peer is Proceedings of the 1st
an interesting future research area. International Peer-to-Peer Systems Workshop
(IPTPS) (pp. 251-260). Springer-Verlag.
Goldschlag, D. M., Reed, M. G., & Syverson, P.
rEfErEncEs F. (1996). Hiding routing information. Informa-
tion hiding (LLNCS 1174, pp. 137-150). Springer-
Andersson, C., Martucci, L. A., & Fischer-Hübner,
Verlag.
S. (2005). Requirements for privacy: Enhance-
ments in mobile ad hoc networks. In Proceedings Jiang, S., Vaidya, N. H., & Zhao, W. (2004). A
of the 3rd German Workshop on Ad Hoc Networks mix route algorithm for mix-net in wireless mobile
(WMAN ) 502 (pp. 344-348). Gesellschaft für ad hoc networks. In Proceedings of the 1st IEEE
Informatik (GI). International Conference on Mobile Ad Hoc and
Sensor Systems (MASS 2004).
Boukerche, A., El-Khatib, K., Xu, L., & Korba, L.
(2004). A novel solution for achieving anonymity Johnson, D. B., & Maltz, D. A. (1996). Dynamic
in wireless ad hoc networks. In Proceedings of the source routing in ad hoc wireless networks. In
7th ACM International Symposium on Modeling, Computer Communications Review: Proceed-
Analysis and Simulation of Wireless and Mobile ings of the ACM SIGCOMM’96 Conference on
Systems (pp. 30-38). Communications Architectures, Protocols and
Applications.
Capkun, S., Hubaux, J. P., & Jakobsson, M. (2004).
Secure and privacy-preserving communication in Kong, J., Hong, X., Sanadidi, M. Y., & Gerla, M.
hybrid ad hoc networks (EPFL-IC Tech. Rep. No. (2005). Mobility changes anonymity: Mobile ad
IC/2004/10). Lausanne, Switzerland: Laboratory hoc networks need efficient anonymous routing.
for Computer Communications and Applications In Proceedings of the 10th IEEE Symposium on
(LCA)/Swiss Federal Institute of Technology ComputersandCommunications(ISCC . ) 502
Lausanne (EPFL).
Levine, B. N, Shields, C., & Margolin, N. B.
Chaum, D. (1981). David Chaum: Untraceable (2006). A survey of solutions to the Sybil attack
electronic mail, return addresses, and digital (Tech. Rep. 2006-052). Amherst, MA: University
pseudonyms. Communications of the ACM, 24(2), of Massachusetts Amherst.
84-88.
Martucci, L. A., Andersson, C., & Fischer-Hübner,
Cheng, Y., & Agrawal, D. P. (2006). Distributed S. (2006). Chameleon and the identity-anonymity
anonymous security routing protocol in wireless paradox: Anonymity in mobile ad hoc networks.
mobile ad hoc networks. Paper presented at the In Short-Paper Proceedings of the 1st Interna-
OPNETWORK 2005. tionalWorkshoponSecurity(IWSEC(pp. )0 2 6
123-134).
Corson, M. S., & Macker, J. (1999). Mobile ad hoc
networking (MANET): Routing protocol perfor- Martucci, L., Kohlweiss, M., Andersson, C.,&
mance issues and evaluation considerations (RFC- Panchenko, A. .)028( Self-certified Sybil-free
2501), Internet RFC/STD/FYI/BCP Archives. pseudonyms. In 1st ACM Conference on Wireless
Network Security (WiSec 2008).
Dıaz, C., Seys, S., Claessens, J., & Preneel, B.
(2002). Towards measuring anonymity. In Pro- Perkins, C. E. (2001). Ad hoc networking. Addison-
ceedings of the Workshop on Privacy Enhancing Wesley Professional.
Technologies (PET 2002) (LNCS 2482). Springer-
Perkins, C. E., & Royer, E. M. (1999). Ad-hoc on
Verlag.
demand distance vector routing. In Proceedings
Privacy and Anonymity in Mobile Ad Hoc Networks
of the 2nd IEEE Workshop on Mobile Computing Yang, L., Jakobsson M., & Wetzel, S. (2006). Dis-
SystemsandApplications(WMCSA. )9‘ count anonymous on demand routing for mobile
ad hoc networks. In Proceedings of SecureComm
Pfitzmann,A.,&Hansen,M.026)( Anonymity,
02 6 , Baltimore, MD.
unlinkability, unobservability, pseudonymity, and
identity management: A consolidated proposal for Zhang, Y., Liu, W., & Lou, W. (2005). Anonymous
terminology v0.27. Retrieved April 25, 2007, from communication in mobile ad hoc networks. In
http:// dud.inf.tu-dresden.de/literatur/Anon_Ter- Proceedings of the 24th Annual Joint Conference
minology_v0.28.doc of the IEEE Communication Society (INFOCOM
) 502 , Miami.
Pfitzmann, A., & Waidner, M..7)89Networks
1(
without user observability. Computers and Secu-
rity, 6 (2), 158-166.
Piro, C., Shields, C., & Levine, N. L. (2006). De-
kEy tErMs
tecting the Sybil attack in mobile ad hoc networks.
Anonymity:Thestateofbeingnotidentifiable
In Proceedings of the IEEE/ACM International
within a set of subjects.
Conference on Security and Privacy in Commu-
nication Networks (SecureComm). Anonymity Metrics: Metrics for quantifying
the degree of anonymity in a scenario.
Reiter, M., & Rubin, A. (1997). Crowds: Anonymity
for Web transactions. Technical report No. 97-15, Mobile Ad Hoc Network: Networks consti-
DIMACS (pp. 97-115). tuted of mobile devise which may function without
the help of central infrastructure or services.
Serjantov, A., & Danezis, G. (2002). Towards
and information theoretic metric for anonymity. Privacy: The right to informational self-de-
In Proceedings of the Workshop on Privacy En- termination, that is, individuals must be able to
hancing Technologies (PET 2002) (LNCS 2482) determine for themselves when, how, to what
.Springer-Verlag. extent, and for what purpose personal information
about them is communicated to others.
Seys, S., & Preneel, B. (2006). ARM: Anonymous
routing protocol for mobile ad hoc networks. In Receiver Anonymity: Implies that a message
Proceedings of International Workshop on Per- cannot be linked to the receiver.
vasive Computing and Ad Hoc Communications
(PCAC)06‘ . Sender Anonymity: Means that a message
cannot be linked to the sender.
Shannon, C. E. (1948). A mathematical theory of
communication. The Bell System Technical Jour- Unlinkability: If two items are unlinkable,
nal, 27, 379-423. they are no more or less related after an attacker’s
observation than they are related concerning the
Song, R., Korba, L., & Yee, G. (2005). AnonDSR: attacker’s a-priori knowledge.
Efficientanonymousdynamicsourceroutingfor
mobile ad-hoc networks. InProceedingsofthe502
ACM Workshop on Security of Ad Hoc and sensor
NetworksSASN ( ) 502 (pp. 32-42). Alexandria. End notEs
Sweeney, L. (2002). k-Anonymity: A model for 1
As devices in ad hoc networks are responsible
protecting privacy. International Journal on for their own services, including security and
Uncertainty, Fuzziness and Knowledge-based routing, protocols for anonymous communi-
Systems, 10(5), 557-570. cation for wired networks are not suitable for
ad hoc networks, not even those based on the
Privacy and Anonymity in Mobile Ad Hoc Networks
6
peer-to-peer paradigm (P2P) (Andersson et In the survey, we omit approaches relying on
al., 2005). the existence of either a positioning device
2
This method is sometimes also called tele- (e.g., GPS) in the mobile devices or a location
scope encryption. A public key based version server in the mobile ad hoc network.
7
of the method was initially introduced by A global observer is an observer that is capable
Chaum (1981). Onion Routing, which only ofobservingallnetworkstrafficinthewhole
uses public key encryption for setting the network.
8
path, and then relies on symmetric encryp- Note that no anonymity is provided against
tion, was later proposed by Goldschlag, Reed, the access points (not included in attacker
and Syverson (1996). model).
3
The Crowds-based metric was developed 9
Batching and reordering traffic to hide the
for Crowds, but has since been used in other correlation between incoming and outgoing
contexts. traffic.
4 10
This denotes the process of setting a path No sender anonymity if path length is one.
11
between the sender and a receiver. First, the No receiver anonymity against last mix on
sender oods fl a route request (RREQ) into the path.
12
the network, which triggers the sending of It is commonly believed that omnipresent
a route reply (RREP) from the receiver to protection against a global observer can only
the sender. During the propagation of the be achieved if all nodes transmit a constant
RREQ and RREP, respectively, the path is ow fl of traffic, requiring massive usage of
interactively formed. dummytraffic.
5
In the context of mobile ad hoc networks,
this method is often referred to as a global
trapdoor.
Chapter XXVIII
Secure Routing with
Reputation in MANET
Tomasz Ciszkowski
Warsaw University, Poland
Zbigniew Kotulski
Warsaw University, Poland
AbstrAct
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Secure Routing with Reputation in MANET
0
Secure Routing with Reputation in MANET
Secure Routing with Reputation in MANET
Secure Routing with Reputation in MANET
Secure Routing with Reputation in MANET
Figure 1. Model of distributed reputation system providing the following vector metrics: own experience
OEB(A), votes VB(A), service reputation SRB(A), cumulative reputation CRB(A) and path reputa
PRB(A)
B
SR (A) CR B(A)
B
V (A)
OE B(A)
B AA
B
V (A)
B
PR (A)
Secure Routing with Reputation in MANET
depends on a set of weighted metrics m monitored taking into account the information reputation (IR)
by a node during network packets exchanging. A of recommending nodes. Considering a set GV of
metrics vector corresponds to all kinds of detect- voting nodes on A, the node B takes into account
able observations such as every overheard packet only nodes with positive IR. Own information
modifications, attacks (DoS, reply attack, is usuallyetc.,more
) valuable (Kong et al., 2005; Bu-
andnetworkqualityofserviceQoS) ( chegger, 2005), hence scaling factor ∈< 0,1 > is
parameters,
for example, transmission delay and packet drops. introduced to the formula:
This set of direct measurement is evaluated by
expectation function E, which allows the assigning SRnB ( A) = OEnB ( A) + (1 − )
∑ p∈GV \B IRnB ( p)VnBp ( A) , IR ( p) > 0
∑ p∈GV \B IRnB ( p)
n
Secure Routing with Reputation in MANET
∑
L −1
CRnB ( A) =
∑ V Bp (A )
p∈GAV \GBV n
, IRn ( p ) > 0
RˆiO = n =0
OEnOEn−i (10)
GAV \ G AB RˆiV =∑
L −1
VV
(6) n =0 n n −i (11)
where R̂nO and R̂nV are estimators of autocor- • Forwarding: During network operations
relation function know as a convolution time series nodes are able to verify integrity of messages
evaluated for a linear and stationary system, such anonymously forwarded in behalf of them
as a reputation system: by overhearing the first intermediate node.
Every message tampering, delays, double
Secure Routing with Reputation in MANET
relays, and dropping are detected as a mali- class of new attacks will appear focusing on the
cious behaviour. reputation system. Keeping in mind that the se-
• Receiving: Every obtained message that curity of the every system depends on its weakest
couldnotbesuccessfullyverified,point, repeated
the potential vulnerabilities of the reputation
messages and break down paths without error system may be treated as an important challenge
message notification coming form ved invol
for the future research. Two interesting forms of
immediate node should be treated as untrust- attacks for the reputation system may be Sybil
worthy. and Collusion attack. In the case- of first, the at
• Anonymous path establishing: In case tacker takes advantage of using multiple identities
of ANAP, an anonymous path establishing by adversary’s node, while in the second several
a three-pass process and in every phase malicious nodes are in collusion. In both cases it
multilayered operations are performed. By is highly possible that own experience and shared
default every request packet REQ should be reputation may be affected by these attacks. Pro-
forwarder only once by every node. In the posed by us, autocorrelation analysis for anomaly
case of detection of behaviour inconsistent detection in reputation recommendations may not
with this rules or obtaining multiple copies be sufficiently sensitive to cope with mentioned
of reply REP or error ERR messages, the attacks. Now, a statistical method validation of
reputation system should be informed. recommendation, such as the cross-validation
• Recommendation exchanging: Sharing a (Hildebrand et al., 1977), has been proposed and
reputation between nodes allows to compare is being developed. It is a very promising direc-
an own experience with a given by recom- tion of research, since the cross-validation is very
mending nodes. In the case when the one of exible
fl and easily applicable for complex data.
the votes differs much from the rest voters On the other hand, the method is mathematically
there exists presumption of node discrediting. rigorous,sotheobtainedresultsareverifiable
Additional statistical cross-validation (Hil- easy to implement.
debrand, Laing, & Rosenthal, 1977) methods Another interesting area is the secure routing
may be used for this case evaluation. in MANET enforced by an ontology-based reputa-
tion system (Caballero, Botia, & Gomez-Skarmeta,
The interaction of the presented reputation 2006). A conceptual-based reputation may be
system with the anonymous authentication proto- identifiedasareputationcreatedfordifferentt
col is performed ensuring the purely anonymous of services provided in MANET with an ability of
communication. The reputation information is creating a similarity measures between them. This
exchanged between nodes in on-demand manner approach in a natural way improves the model of
of interested node, encrypted by public key of incentives for the ad hoc communication giving
message originator. This ensures that recommen- ability to treat MANET networks as a service
dation sharing is hidden and may be read only by oriented.
legitimated recipients. At the moment several applications apart from
strict MANET paradigm take advantage of the
dynamic ad hoc routing phenomenon and make
futurE trEnds use of it in an akin to MANET wireless environ-
ments such as wireless mesh networks or vehicular
In the contemporary information society the mobile ad hoc networks (VANET). This example shows
ad hoc networks is a promising and very attractive that researching in the MANET’s area may bear
alternative for wireless access networks. Proposed unlimited applications.
in the last section, a solution for managing routing
in secure MANETs is based on the distributed
reputation system. We expect in the near future a
Secure Routing with Reputation in MANET
concludIng rEMArks Boukerche, A., El-Khatiba, K., Xua, L., & Korba,
L..)052An
( efficient secure distributed anony -
In this chapter we presented a new approach of mous routing protocol for mobile and wireless ad
distributed reputation-based secure routing mecha- hoc network. Computer Communications, 28(10),
nism in MANET. In the background section the 1193-1203.
main concepts of secure and anonymous mobile
Buchegger, S. (2005). Self-policing mobile ad hoc
ad hoc networks were presented. The overview
networks by reputation systems. IEEE Communi-
of applied authentication schemes in secure MA-
cations Magazine, 43(7), 101-107.
NET was analyzed giving an introduction to trust
management and reputation basis as a mean for Buchegger, S., & Le Boudec, J.-Y. (2002, June).
detecting misbehaviour and improving the routing Performance analysis of the CONFIDANT pro-
performance. tocol: Cooperation of nodes fairness in dynamic
In the main part of this chapter we focused on ad-hoc networks. In Proceedings of IEEE/ACM
a new proposal of a distributed reputation system, Symposium on Mobile Ad Hoc Networking and
which was an extension of the Liu and Issarny Computing (MobiHOC), Lausanne, Switzerland,
(2004) model and which was introduced in the (pp. 226-236).
anonymous authentication protocol for mobile ad
Caballero, A., Botia, J. A., & Gomez-Skarmeta,
hoc networks (Ciszkowski & Kotulski, 2006). We
A. F. (2006). A new model for trust and reputation
emphasized in the proposal the method of evaluat-
management with an ontology based approach for
ing recommendation reputation considering the
similarity between tasks. In K. Fischer, I. J. Timm,
past experience and recommendation reputation
E.André,N.& Zhong(Eds.,) Multi-agent System
of voters. We defined two types of the second-
Technologies, 4th German Conference, MATES
hand information, related to the immediate nodes
02 6 , Erfurt, Germany, (LNCS 4196, pp. 172-183).
and cumulative reputation, describing aggregated
Berlin: Springer.
reputation of immediate nodes’ neighbourhood.
Second-hand information is exchanged on demand Chaum, D. (1981). Untraceable electronic mail,
of interested nodes. In order to detect the malicious return addresses, and digital pseudonyms. Com-
activity and any anomalies in the information munications of the ACM, 24(2), 84-88.
exchange we incorporated the second-hand recom-
mendation validation by the statistical correlation Ciszkowski, T., & Kotulski, Z. (2006). ANAP:
approach. Anonymous authentication protocol in mobile ad
We pointed out the the security in MANET is hoc networks. Paper presented at the 10th Domestic
a primary concern for researchers, in particular Conference on Applied Cryptography ENIGMA,
this becomes a very important issue since several Warsaw, Poland, (pp. 191-203).
applications apart from strict MANET commu- Hildebrand, D. K., Laing, J. D., & Rosenthal, H.
nication model take advantage of the dynamic ad (1977). Predictionanalysisofcrossclassification .
hoc routing phenomenon. New York: John Wiley & Sons.
Hu, Y., & Perrig, A. (2004). A survey of secure
rEfErEncEs wireless ad hoc routing. IEEE Security & Privacy
Magazine, 2(3), 28-39.
Blaze, M., Feigenbaum, J., & Lacy, J. (1996). De- Hu, Y.-C., Perrig, A., & Johnson, D. B. (2005).
centralized trust management. In Proceedings of Ariadne: A secure on-demand routing protocol
the IEEE Symposium on Security and Privacy (p. for ad hoc networks. Wireless Networks, 11(1-2),
164). IEEE Xplore. 21-38.
Secure Routing with Reputation in MANET
Huang, C., Hu, H., & Wang, Z. (2006, September Liu, J., & Issarny, V. (2004, March 29-April 1).
3-6). A dynamic trust model based on feedback Enhanced reputation mechanism for mobile ad hoc
control mechanism for P2P applications. In L. T. networks. In C. Jensen, S. Poslad, & T. Dimitra-
Yang, H. Jin, J. Ma, & T. Ungerer (Eds.), Pro- kos (Eds.), Proceedings of Second International
ceedings of Third International Conference on Conference on Trust Management (iTrust 2004),
Autonomic and Trusted Computing ATC( , )0 2 6 Oxford, UK, (LNCS 2995, pp. 48-62). Berlin:
Wuhan, China, (LNCS 4158, pp. 312-321). Berlin: Springer.
Springer.
Mangipudi, K., Katti, R., & Fu, H. (2006). Authen-
Hussain, F., Chang, E., & Dillon, T. S. (2004, tication and key agreement protocols preserving
March)Classification
. oftrustinlogistic peer-International
anonymity. to- Journal of Network
peer communication. In Proceedings of the IEEE Security, 3(3), 259-270.
International Conference on Sciences of Elec-
Nilsson, N. J. (1986). Probabilistic logic. Artificial
tronic, Technologies of Information and Telecom-
Intelligence, 28(1), 71-87.
munications (SETIT 2004), Tousse, Tunisia.
Papadimitratos, P., & Haas, Z. (2002, January 27-
Johnson, D. B. (1994). Routing in ad hoc networks
31). Secure routing for mobile ad hoc networks. In
of mobile hosts. In Proceedings of IEEE Workshop
Proceedings of the SCS Communication Networks
on Mobile Computing Systems and Applications
and Distributed Systems Modelling and Simulation
(pp. 158-163). IEEE Press.
Conference (CNDS 2002), San Antonio, (pp.192-
Jøsang, A. (2002, July). Subjective evidential 204).
reasoning. In Proceedings of the th 9 Interna
-
Perkins, C., & Royer, E. (1999, February). Ad hoc
tional Conference on Information Processing and
on-demand distance vector routing. In Proceedings
Management of Uncertainty in Knowledge-Based
of the 2nd IEEE Workshop on Mobile Computing
Systems (IPMU 2002), Annecy, France.
Systems and Applications, New Orleans, (pp.
Kong, J., & Hong, X. (2003). ANODR: Anony- 90-100).
mous on demand routing with untraceable routes
Pfitzmann,A.Hansen,
&, M..)052 ( Anonymity,
for mobile ad-hoc networks. In Proceedings of
unobservability, pseudonymity, and identity man-
the 4th ACM International Symposium on Mobile
agement: A proposal for terminology. Retrieved
Ad Hoc Networking & Computing (MobiHoc03),
October 4, 2007, from http://dud.inf.tu-dresden.
Annapolis, MD, (pp. 291-302).
de/Literatur_V1.shtml
Kong, J., Hong, X., & Gerla, M. (2005). Mobil-
Royer, E., & Toh, C. (1999, April). A review of
ity changes anonymity: Mobile ad hoc networks
current routing protocols for ad hoc mobile wire-
need efficient anonymous routing. Proceed-In
less networks. IEEE Personal Communications,
ings of 10th IEEE Symposium on Computers and
6 (2), 46-55.
Communications (ISCC) 502 (pp. 57-62). IEEE
Computer Society. Sanzgiri, K., Dahill, B., Levine, B. N., Shields, C., &
Belding-Royer, E. M. (2002, November). A secure
Lee, K.-M., Hwang, K.-S., Lee, J.-H., & Kim, H.
routing protocol for ad hoc networks. In Proceed-
J. (2006, September). A fuzzy trust model using
ings of 10th IEEE International Conference on
multiple evaluation criteria. In L. Wang, L. Jiao,
Network Protocols (pp. 78-87). IEEE Press.
G. Shi, X. Li, & J. Liu (Eds.), Proceedings of Third
International Conference on Fuzzy Systems and Yang, H., Luo, H., Ye, F., Lu, S., & Zhang, L. (2004).
KnowledgeDiscovery(FSKD)026 (LNCS 4223, Security in mobile ad hoc networks: Challenges
pp. 961-969). Berlin: Springer. and solution. IEEE Wireless Communications,
11(1), 38-47.
Secure Routing with Reputation in MANET
Zapata, Z. G., & Asokan, N. (2002). Securing ad MANET: Mobile ad hoc network is a self-con-
hoc routing protocols. In Proceedings of ACM figuringnetworkoffreelymovingnodesconnected
Workshop on Wireless Security (WiSe 2002) (pp. by wireless links that can constitute a path joining
1-10). ACM Press. two arbitrary nodes of the network.
Zhang, Y., Liu, W., & Lou, W. W. (2005). Anony- Privacy: The ability of keeping secret some-
mous communications in mobile ad hoc networks one’s identity, resources, or actions. It is realized
(INFOCOM 2005). In Proceedings of 24th An- by anonymity and pseudonymity.
nual Joint Conference of the IEEE Computer and
Pseudonymity: Hides the user’s real identity be-
Communications Societies (Vol. 3, pp. 1940-1951).
hind some virtual identity called a pseudonym.
Proceedings IEEE.
Reputation: Perceived grade of trustworthiness
Zimmermann, J. (1994). PGP user’s guide. Cam-
to a particular peer created by their historical be-
bridge: MIT Press.
haviour during observations and interactions with
third party peers in the given context and time
Routing: A method of selecting a path (a chain
kEy tErMs of links between neighbouring nodes) from a source
node to a destination node. One can distinguish two
Anonymity: Aims at hiding an entity’s identity groups of protocols designed for MANET: reactive
completely. on-
( demand)andproactivetable- ( driven)The
. first
Anonymous Authentication: A method of type tries to resolve a path to a destination node
proving that someone has rights to certain ac- on the source node demand, whereas the second
tions or resources without disclosing the user’s approach is more preventive and continuously
real identity. keeps routing tables up to date by monitoring the
nearest neighbourhood.
Attacks: Attacks on MANET can destroy avail-
ability of nodes (attacks on routing) and contest Security: Security of a system means that the
reputation of nodes. system does exactly what it is designed to do and
nothing else, even in a case of attack. Secure MA-
Authentication: A method of proving some- NET enables reliable routing: privacy of communi-
one’s identity, especially if that someone is an cation with immediate degree of authentication of
authorized user of processes or resources. the parties of the information exchange process.
Collusion Attack: If a number of adversary Sybil Attack: When one adversary node uses
nodes make a coalition against reputation of other several identities to multiply its ability of rating
nodes. other nodes in MANET.
Cross-validation: A statistical method derived Trust: A subjective probability of a one peer
fromcross-classificationwhichmainobjective isparticular actions of another peer
(trustee) so that
to detect the outlying point in a population set. It is (trusted) they are willing and capable to perform
a candidate method for anomalies detection in the will be done according to trustee’s expectations
reputation sharing (recommendations) and regular in the given context and time
communication in MANET. Denial-of-Service
(DoS) attack: An attempt of keeping an access to VANET: A form of mobile ad hoc network, to
computer resources (nodes) unavailable, especially provide communications among nearby vehicles
by generating dummy traffic from one source and between vehiclesandnearbyfixedequipment,
(DoS) or a large number of sources (distributed usually described as roadside equipment.
DoS [DDoS]).
0
Chapter XXIX
Trust Management and
Context-Driven Access Control
Paolo Bellavista
University of Bologna, Italy
Rebecca Montanari
University of Bologna, Italy
Daniela Tibaldi
University of Bologna, Italy
Alessandra Toninelli
University of Bologna, Italy
AbstrAct
The increasing diffusion of wireless portable devices and the emergence of mobile ad hoc networks promote
anytime and anywhere opportunistic resource sharing. However, the fear of exposure to risky interac-
tions is currently limiting the widespread uptake of ad hoc collaborations. This chapter introduces the
challenge of identifying and validating novel security models/systems for securing ad hoc collaborations,
by taking into account the high unpredictability, heterogeneity, and dynamicity of envisioned wireless
environments. We claim that the concept of trust management should become a primary engineering
designprinciple,toassociatewiththesubsequenttrustrefinementintoeffectivea
thus calling for original and innovative access control models. The chapter overviews the state-of-the-
art solutions for trust management and access control in wireless environments by pointing out both
the need for their tight integration and the related emerging design guidelines, that is, exploitation of
context awareness and adoption of semantic technologies.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Trust Management and Context-Driven Access Control
Trust Management and Context-Driven Access Control
on assumptions that are unacceptable in these class principle that explicitly guides both policy
environments (Cahill et al., 2003; Capra, 2004). In specificationandenforcement;itisnotpossiblet
fact, in traditional distributed systems trust deci- defineapolicywithouttheexplicitspecificationo
sions can be delegated to centralized and trusted the context making the policy valid. The second
third parties with full visibility and control over main requirement is the full integration of novel
the whole trust management domain (most entities trust models/solutions with trust-dependent (pos-
arefixedandstaticallyknown).Onthecontrary, sibly context-aware) access control policies. That
in the wireless Internet the lack of both a globally integrationrepresentsthemostsignificantgoa
available trust management infrastructure and the state-of-the-art research in security for ad hoc
clearly defined administrative boundaries calls with currently only a very
wireless collaborations,
for fully decentralized and self-organized trust few proposals at an early stage.
solutions. Moreover, trust management solutions The achievement of secure, open, and dynamic
are effective as far as it is possible to bind trust wireless collaborations requires not only proper
opinions to security decisions. We claim that trust trust and access control models, but also shared
management should be considered as the key and interoperable vocabularies for trust and ac-
starting point for subsequent refinement cess control of trust specifications to avoid inconsist
into security policies related to authorization and interpretations. Some initial research efforts tend
security management. In particular, authorization to propose the adoption of ontological technologies
can be seen as the outcome of the refinement asasignificantof guidelinetowardcommonpolicy
trust relationships among strangers (Grandison & understanding (Kagal, Finin, & Joshi, 2003; Tonti
Sloman, 2000). et al., 2003; Uszok, Bradshaw, & Jeffers, 2004). Se-
Therefore, the issue of access control is also mantically rich representations of trust and access
crucial for the provisioning of anytime and any- control policies permit resource/context descrip-
where collaborative applications, and raises chal- tions at different levels of abstraction and enable
lenges similar to trust management, thus calling for reasoning about both structure and properties of
novel access control models. Only few proposals entities, context, and operations, thus enabling
are starting to emerge in that research area, by ad- exible
fl opportunitiesforpolicyanalysis,conflict
dressing two main needs. A primary requirement detection, and harmonization. It is worth noticing
is to design/develop access control solutions that that current security solutions for wireless Internet
take into account heterogeneity and dynamicity collaborations represent interesting steps forward,
of available services, computing devices, and user but are still more proof-of-concept prototypes of
characteristics. Along this direction, the emerging single aspects rather than comprehensive method-
design guideline for novel access control solutions ological and technical reference guides.
advocates a paradigm shift from subject-centric The goal of the chapter is to survey the most
access control models to context-centric ones (Cov- relevant support solutions in the literature by
ington, Long, Srinivasan, Dey, Ahamad, & Abowd, considering the two primary research directions
2001; Corradi, Montanari, & Tibaldi, 2004; Ko, emerging in the area, that is, trust management
Won, Shin, Choo, & Kim, 2006; Toninelli, Mon- and semantic context-driven access control. In
tanari, Kagal, & Lassila, 2006). Hereinafter, at a particular, examples of solutions in each category
highabstractionlevel,theterm“context” isdefined
will be presented in the Trust Management section
as any information that is useful for characterizing and the Semantic Context-driven Access Control
the state or the activity of an entity or the world section, respectively. The COMITY Framework
where this entity operates (Dey, Abowd, & Salber, section will focus on the main design choices of
2001). Differently from subject-centric solutions our trust-dependent context-aware middleware
where context is an optional element of policy proposal, with the aim of exemplifying the main
definition,simplyusedtorestrictthe applicability
concerns and solution guidelines about the inte-
scope of the permissions assigned to the subject, gration of trust and access control management.
in context-centric solutions context is the
Primary open first-
issues and expected directions of
evolution end the chapter.
Trust Management and Context-Driven Access Control
trust MAnAgEMEnt tion, and management, but has not yet achieved
universally accepted techniques/tools, as detailed
The adoption of the concept of trust as the basisin the following.
for engineering secure collaborative applications
is currently attracting relevant research interests. Trust Definition and Properties
Trust has always been an important element in
theestablishmentofrelationships inmany
Trust fields.and multifaceted notion relat-
is a complex
Humans use trust daily to promote interaction ing to belief in the honesty, truthfulness, compe-
and to accept risk in situations where they have tence, and reliability of a trusted person or service
only partial information (Cahill et al., 2003). In (Grandison & Sloman, 2000). Currently there is
computing, the need for trust models and support no consensus in the literature on the meaning of
systems has recently grown with the widespread trust though several research activities recognize
Internet usage where transactions involve entities its importance. Due to the fact that trust is an in-
spanning a range of domains and organizations, tegral part of human nature, it is normally treated
not all of which may be trusted to the same extent. as an intuitive and universally understood concept.
Recently, trust issues have taken on more urgency However, by realizing that it is unwise to assume
due to wireless environments of emerging relevance it is an intuitive, universal, and well-understood
populated by a plethora of unknown and anonymous concept, many researchers have proposed differ-
users/devices. Entities can interact as far as they entdefinitionsoftrustandtheimportanceoftr
are able to autonomously assess trust and to use standardization is widely recognized (Frank &
this as the basis for automated decision making, Peters, 1998; Gambetta, 2001; Marsh, 1994; Staab,
for example, whether to use a service or whether However,
. )0 2 4 trustdefinitionsvarydepending
to permit access to resources. on researcher background and on addressed ap-
Incorporating trust in wireless Internet systems plication domain.
is important because trust can be an enabling Despite these differences, most proposals result
technology for application provisioning in open in having common basic properties. Trust is usu-
and dynamic environments in situations where we ally specified in terms of a relationship between
are given up complete control because traditional two entities that specifies the expectation of
security solutions are inadequate or even inappli- trust-assigning entity, called the trustor, about the
cable. For instance, certificate-based - authentica
actions of another entity (object of a trust estima-
tion and authorization mechanisms exhibit several tion)that, is,thetrustee,withinaspecifiedcont
limitations when deployed over ad hoc wireless (Grandison & Sloman, 2000). Entities bound by a
scenarios. First, they impose too much compu- trust relationship may be completely or partially
tational overhead especially ( due to certificate
unknown to each other.
validation), often intolerable for mobile devices Trust relationships may differentiate depending
with limited computational resources. Second, the on the number of entities involved. They include
transient nature of ad hoc collaborations does not one-to-one relationships between two entities,
justify the efforts of going through the laborious one-to-many in the case of one entity that needs
andexpensivecertificateissuanceprocess. to trust Finally,
a group, many-to-many in the case, for
the lack of central authority and network infra- example, of a committee, or many-to-one in the
structure in MANET, coupled with the dynamic case of departments trusting a head branch. In any
nature of the network topology, complicates the case, trust relationship is asymmetric: trustor and
adoption of certificate-based authentication trustee do not need andto have similar trust in each
authorization mechanisms. other even if they exploit the same information
Trust-related research has been carried out along as their basis to establish their trust relationship.
several different directions and has proposed many This derives from the observation, common to all
approachesfortrustdefinition,formation, - trust evolu
definitionproposals,thattrustisasubj
notion (Cahill et al., 2003).
Trust Management and Context-Driven Access Control
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Figure5.ModularizedIDSarchitecture
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Figure6.DistributedIDSarchitecture
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
is critical. TIARA has no response system for threshold, the node is discarded from any path.
intrusions. This method is analogous to fault-tolerance in
typical routing algorithms. This method effectively
Threshold-Based Detection detects and responds to malicious packet drop-
ping attacks (sinks). However, it fails to address
A simplistic approach to ad hoc IDS is threshold- attacks such as route invasion, route disruption,
based detection. Bhargava and Agrawal (2001) and so forth.
propose an ad hoc IDS which prevents internal at-
tacks (attacks within the network). Internal attacks State-Based Anomaly Detection
are exhibited by nodes belonging to the network
which behave maliciously, either by themselves One of the interesting approaches in conventional
or when compromised. Each node maintains a IDS models are state-based intrusion detection.
local variable called “MalCount” for every other Michael and Ghosh (2000) incorporate a state-
node, which is increased for a particular node if its based model in ad hoc intrusion detection. They
behavior is suspicious. Thus the MalCount array propose two anomaly detection methodologies,
in a node tracks the level or state of suspicion that whichusefinite-statemachines(FSM)FSM . have
the host node has regarding the other nodes. Each proved successful in conventional IDS because of
node shares its local state of suspicion with respect their adaptability and dynamic learning capability
to a particular node with other nodes in the network of new attacks.
using a special packet REMAL. When a node Anomaly detection methods proposed by Mi-
receives REMAL, it increases its local MalCount chael and Ghosh (2000) used protocol states. In
for the particular node under suspicion. the first method, the sequence and frequency of
The authors overlooked many aspects of ad hoc protocolstatesaremonitored.Intrusionisaffirm
security. First, malicious knowledge sharing using whenaparticularsequencedeviatessignificant
REMAL will have cumulative malign effect on from normal behavior patterns or the frequency of
the network. Second, the security of the REMAL states exceeds a threshold. To increase robustness,
packet is unknown. Eventually, the entire network their second approach uses probabilistic state-based
can be under threat by trusting unreliable REMAL intrusion detection. Each occurrence of a suspi-
packets. The crucial aspect of the security of the cious protocol state increases the probability of
IDS is not considered in this methodology. Fur- the behavior being malicious.
thermore, routing security is not addressed. These two approaches are well suited for trans-
Another interesting approach called watchdog- port and application layer protocols, which have
pathrater, which also uses threshold, is proposed many protocol states, and the protocol states are
by Sergio, Giuli, Kevin, and Mary (2000). Watch- predictable. For example, attacks such as, TCP SYN
dog-pathrater, as the name implies, has a monitor ood
fl attackcanbedetectedusingthisapproach.
and evaluator. Unlike Bhargava and Agrawal’s However, this is not true in the case of routing
(2001) approach, Watchdog-pathrater functions protocols. State sequence or frequency of states
independently and does not share information does not distinguish a malicious behavior from
with other nodes. When a packet is forwarded to a benign one. Traditionally, FSM were used to
a neighbor node, the forwarding node listens and extract semantics from user behavior through
monitors how the node behaves upon receiving application-layer protocols. In the case of ad hoc
a packet. A benign node will forward faithfully, routing protocols, semantics is not represented by
which is overheard by the monitor. However, when protocol states, but factors such as current topology,
the node does not forward the packet, the pathrater mobility, connectivity, and so forth are.
increases the failure rate for the path. The monitor
does not distinguish between maliciousness and
node faultiness. Upon the failure rate reaching the
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Paper presented at the Security and Privacy for Hubaux, J.-P., Buttyan, L., & Capkun, S. (2001).
Emerging Areas in Communications Networks, The quest for security in mobile ad hoc networks.
SecureComm 2005. Paper presented at the 2nd ACM international
Symposium on Mobile Ad hoc Networking &
Balajinath, B., & Raghavan, S. V. (2001). Intru-
Computing, Long Beach, CA.
sion detection through learning behavior model.
Computer Communications, 24(12), 1202-1212. Jacoby, G. A., Marchany, R., & Davis, N. J., IV.
(2004). Battery-based intrusion detection a firs
Bhargava, S., & Agrawal, D. P. (2001, Fall). Secu-
line of defense. Paper presented at the Information
rityenhancementsinAODVprotocolforwireless
Assurance Workshop, 2004/Proceedings from the
ad hoc networks. Paper presented at the IEEE 54th
Fifth Annual IEEE SMC.
Vehicular Technology Conference, VTC 2001.
Kachirski, O., & Guha, R. (2002). Intrusion de-
Brutch, P., & Ko, C. (2003). Challenges in intru-
tection using mobile agents in wireless ad hoc
sion detection for wireless ad-hoc networks. Paper
networks. Paper presented at the IEEE Workshop
presented at the Applications and the Internet
on Knowledge Media Networking, 2002.
Workshops, 2003.
Kong, J., Hong, X., & Gerla, M. (2003). A new set of
Bykova, M., Ostermann, S., & Tjaden, B. (2001).
passive routing attacks in mobile ad hoc networks.
Detecting network intrusions via a statistical
Paper presented at the Military Communications
analysis of network packet characteristics. In
Conference, MILCOM 2003. IEEE.
Proceedings of the 33rd Southeastern Symposium
on System Theory, 2001. Lamport, L., Shostak, R., & Pease, M. (1982). The
Byzantine generalsproblem. ACM Transactions
Debar, H., Dacier, M., & Wespi, A. (1999). To-
on Programming Languages and Systems, 4(3),
wards a taxonomy of intrusion-detection systems.
382-401.
Computer Networks-the International Journal of
Computer and Telecommunications Networking, Little, M. (2005). TEALab: A testbed for ad hoc
31(8), 805-822. networking security research. Paper presented at
the Military Communications Conference, MIL-
Duda, R. O., Hart, P. E., & Stork, D. G. (2000).
COM 2005. IEEE.
Patternclassification (2nd ed.). Wiley Inter-Science
Publication. Michael, C. C., & Ghosh, A. (2000). Two state-
based approaches to program-based anomaly
Hijazi, A., & Nasser, N. (2005). Using mobile
detection. Paper presented at the 16th Annual
agents for intrusion detection in wireless ad hoc
Conference Computer Security Applications,
networks. Paper presented at the Second IFIP
ACSAC ’00.
International Conference on Wireless and Optical
Communications Networks, WOCN 2005 Mishra, A., Nadkarni, K., & Patcha, A. (2004).
Intrusion detection in wireless ad hoc networks.
Hossain, M., Bridges, S. M., & Vaughn, R. B.,
IEEE Wireless Communications, 11(1), 48-60.
Jr. (2003). Adaptive intrusion detection with data
mining. Paper presented at the IEEE International Nadkarni, K., & Mishra, A. (2003). Intrusion de-
Conference on Systems, Man and Cybernetics, tection in MANETS: The second wall of defense.
2003. Paper presented at the 29th Annual Conference of
the IEEE Industrial Electronics Society, IECON
Huang, Y. A., & Lee, W. (2004). Attack analysis
2003.
and detection for ad hoc routing protocols. Recent
advances in intrusion detection, proceedings Papadimitratos, P., & Haas, Z. (2002, January 27-
(Vol. 3224, pp. 125-145). Berlin: Springer-Verlag 31). Secure routing for mobile ad hoc networks. Pa-
Berlin. per presented at the SCS Communication Networks
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Table 1. continued
Increasing the noise level, which leads to the decrease of the signal to noise ratio (S/N), causes degradation of the
Noise Signal bandwidth and roll-back of the transmission rates. In severe cases it can lead to DoS attack.
Denial of service attack can also impact the media access control (MAC) layer. For this, the attacker does not have to
be physically tampering with the infrastructure, though the ability to inject frames directly into the channel is required.
A MAC-layer-based DoS attack offers the following advantages to the attackers:
DoS - Medium Independency: Since many MAC-based communication protocols (i.e., 802.11) have similar MAC layer
structures, a single MAC-layer attack can devastate many different infrastructures.
- Energy Efficiency: A MAC layer attack does not necessarily and directly deal with the weakening of the com-
munication signals, therefore these types of attacks require less amount of energy compared to the physical layer
attacks
Jamminghappenswhenthecommunicationchannelisooded
fl withMAClayerqueries.Inthisscenario,theMAClay
Jamming will not be able to service legitimate queries. Jamming can be considered as a DoS attack at MAC layer.
In this type of attack, the attacker (or a malicious node) advertises a zero routing metric for all destinations. This
Blackhole causes all the neighbor nodes to route all their packets through the attacker (node). This can also be recognized as a
Attack DoS attack at the network layer.
In this attack, the attacker records packets at one location in the network and tunnels them to another location in the
Wormhole network. This can cause an abrupt of service (DoS) due to the invalidity of routes for the packets, which are routed
Attack through this tunnel.
This type of attack incorporates more than one attacker (malicious adversaries). A Byzantine attack involves the
Byzantine leaking of authentication/authorization secrets so that the malicious adversaries are indistinguishable from legitimate
Attack nodes. Therefore when adversaries are accepted in the communication schemes, they can cause various types of mali-
ciousactivities,suchasroutechanges,routeloops,andnonoptimalroutes.Byzantineattacksareve
identified.
In this scenario, a compromised node may leak confidential and vital information to
- unauthorized node
Information work, such as, geographic location of nodes (sender, receiver, and intermediate nodes), network topology, and optimal
Disclosure routes.
This type of attack can be discussed as a physical layer issue or a network layer issue. In the network layer, this type
Resource of attack directly deals with routing issues rather then energy related issues. Therefore, a malicious node tries to con-
Consumption sume and waste the resources in the network through network layer-related activities, such as, unnecessary requests
Attack for routes, very frequent beacon packet creations, initiating a lot of route discoveries, and forwarding of staled packets
to nodes.
Routing Thesetypesofattacksdealwiththeroutingalgorithmsandprocedures,suchas,routingtableoverflowa
Attacks packetreplication,routecachepoisoning,andrushingattack.Thesearefurtherdiscussedmoreinthe
Other types of network layer attacks include attacks on IP header/address (address sweep scan, timestamp attack, source
Others routeattack,recordrouteattack,andfragmentDoSattack)andinternetcontrolmessageprotocol(IC
Attacks on Attacksonthetransportcontrolprotocol(TCP)includeacknowledgementACK)
( DoS,synchronizationSYN)
( ood
fl
TCP LAND attack (where spoofed TCP SYN is sent) “sending a spoofed TCP/SYN packet,” session and tear-down attacks,
session hijacking, and port-scan attack.
Attacks on Attacks on user datagram protocol ( UDP) include port attack, ( UDP ooding)
fl and session hijacking using
( a va
UDP session ID).
Session, Higherlayerssession,
( presentation,andapplicationlayers)aremorespecificandapplicationoriented.T
Presentation, types of attacks vary in different networks and applications.
Application
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
to the OSI layered model, namely, physical, MAC, • Consumption of relatively more bandwidth
network, transport, session, presentation, and compared to identical amount of data transfer
application layers. Internet-based systems have in other routing schemes.
adopted a more simplified five-layer approach • Increaseoftrafficoverheadduetotheconstant
based on transport control protocol (TCP)/IP pro- updates.
tocol stack suite, in which the top three layers of
the seven-layer model (session, presentation, and The advantage is that there is no delay in route
application layers) have been merged as a single and destination determination. Examples of proac-
layer: the TCP/IP application layer (see Figure 2) tive routing protocols are (Lang, 2003):
(Adibi, Erfani, & Harbi, 2006; Lu, 2002; Manoj
& Murthy, 2005). • DSDV (destination-sequenced distance vector
routing)
wireless routing Protocols in • OLSR (optimized link state routing)
general
Reactive (On-demand)
Ad hoc routing protocols are divided into the fol-
lowing categories: In reactive protocols, routes are determined as they
are needed through “route request (RREQ)” and
Proactive (Table-driven) “route reply (RREP)” inquiries. The advantage of a
reactive routing protocol is the fact that it requires
In these types of routing protocols, nodes constantly relativelyfewertrafficoverhead.Thedisadvanta
search for routing information and storing them of reactive routing protocols, however, is relatively
in tables, therefore when a route is needed, the longer delays due to the sending and receiving
route is already known. The major disadvantages RREQsandRREPs.Examplesofreactiverouting
of proactive routing protocols are: protocols are (Lang, 2003):
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
AttAcks on Ad Hoc routIng when nodes drop them due to the duplicate
Protocols suppression).
• Isolation: Ability to identify misbehaving
Attacks on ad hoc routing protocols are presented nodes and disable them from interfering with
in Figure 4 and Table 2. Again these attacks are the routing schemes. Preventing wormhole
categorized into passive and active attacks. Each and black hole are examples of this cat-
attack works in such a way as to paralyze a sec- egory.
tion of the routing protocol, therefore securing the • Lightweight computations: Assigning
routing protocols is very important. heavy computing tasks to the least possible
In order to prevent attacks on routing protocols, number of nodes (battery power protection)
security measures should be taken into consid- to prevent sleep deprivation.
eration to prevent attacks and fortify the routing • Location privacy: Protecting information
algorithms. These measures should provide the about the location of nodes in a network and
followings: the network structure, to prevent location
disclosure.
• Availability: Ultimately it should always be • Self-Stabilization – Automatically recover
possiblewith ( veryhighprobability)tofrom findanyprobleminafiniteamountoftime
an available route from any source to any without human intervention.
destination within the wireless range. In ad • Byzantine robustness: This requires the
hoc routing protocols, this feature should function of the routing protocol to work cor-
includepreventingroutingtableoverfl owan
rectly ( even if some of the nodes participating
entry in the table to a nonexisting destination) in routing are intentionally disrupting its
and rushing attacks (an attacker disseminates operation. This is important in preventing
RREQs quickly throughout the networks, impersonation attacks.
suppressing any later legitimate RREQs
Figure 4. Active and passive attacks in ad hoc routing protocols (Adapted from Wang, Lu, & Bhargava,
2003)
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Table2.Definitiontoafewofattacksforadhocroutingprotocols
Route Broken Message Sets false route error to send a message back to the source (route discovery is reinitiated). This exhausts
the limited bandwidth.
Malicious Route Request Sends an invalid route request. This exhausts the limited bandwidth.
False Distance Vector This involves replying “one hop to destination” to every request and selecting an enough large sequence
number. This is an attack on the connectivity.
False Destination Sequence This is to select a large number of hop to the destination, which is an attack on the connectivity.
Routing Table Overflow A malicious node advertises routes to nonexisting nodes. Proactive routing protocols are more vulner-
able.
Routing Table Poisoning A malicious or compromised node sends fictitious routing updates or modifies genuine route u
which causes suboptimal routing.
Packet Replication A malicious or compromised node replicates stale packets causing excessive bandwidth consumption.
Route Cache Poisoning An advisory can poison the route cache, which is a major issue for on-demand routing protocols, since
they maintain a route cache to all known nodes.
AnadvisorythatreceivedaRREQfromasourceoods
fl thenetworkquicklybeforeanyotherlegitim
nodes can react, causing other nodes to believe that they have received duplicates, thus discarding the
Rushing Attack legitimate responses. Therefore any route discovered by the source node would contain the advisory node
information as one of the legitimate intermediate nodes.
independent security agents. This way out- These two methods will be discussed in details
siders could not identify the communicating in the next section.
parties.
• Hierarchical structure or zone-based rout-
ing: This type of routing protocol provides cHAllEngEs In sEcurE routIng
a foundation for authentication and local for MAnEts
link-state routing.
As mentioned previously, securing routing proto-
cols for wireless systems is more challenging than
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
securing wired protocols, because not only do all Data encryption (long-term, short-term)
of the possible wired-based attacks apply to ad hoc keys
networks, but also mobility allows new attacks. Keys based on random number
discussed in details later in this chapter altering the signal’s frequency spectrum
• Key management service: Because of the in such a way that the signal could not
difficulties in key exchange, the - key man be reconstructed and understandable
agement is a challenge in ad hoc networks. without the knowledge of the inversion
The following schemes are a few examples pattern.
of existing key exchange methods ("Key Frequency hopping: Dividing the
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
kEy MAnAgEMEnt APProAcHEs point. The fact that there is a known center
for key distribution and its location is known
Due to the variable nature of ad hoc network to- to all, makes the AKDC prone to a variety of
pologies and the physical and resource limitations, attacks, including DoS attack. This problem
key management is of great importance. There are is remedied by the use of a decentralized and
many proposals for the key management for ad hoc distributed scheme.
protocols, however we introduce two methods, • Decentralized key generation and distribu-
namely, ad hoc key distribution center (AKDC), tion: In a DKGD scheme (Figure 6), the key
and decentralized key generation and distribution management scheme is distributed across the
(DKGD) (Adibi et al., 2006): wireless range through DKGD agents. Every
ad hoc element discovers the closest DKGD
• Ad hoc key distribution center: As shown agent and binds with it. The fact that DKGDs
in Figure 5, AKDC uses a centralized ad hoc are distributed across the network poses less
scheme for key management, distribution, and of a security concern as the single point of
access. In the AKDC, each device wishing to failure is no longer an issue. No matter if
communicate with another device will have AKDC or DKGD is used, all legitimate lo-
to undergo the following series of processes cal ad hoc elements should register with the
by the AKDC: AKDC or the DKGD.
Identity and location determination • Ad hoc gateway access control (AGAC):
Authentication So far, the AKDC and DKGD schemes as-
Authorization sume in-domain communications among
Key provision ad hoc elements. However for inter-domain
Key delivery security measures when an outside element
A lot of intelligence and power must be inte- seeks communication to a local element, a
grated into the design of an AKDC, however, new element, which is called the AGAC, is
there are a few downsides of having a central responsible for the security concerns. AGAC
FigureAKDC
5. scheme(AdaptedfromAdibietal.,206)
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Figure6.DKGDscheme(AdaptedfromAdibi,Erfani,&Harbi,206)
Figure7:Self-organizedcertificateauthorities(SOCA)(AdaptedfromMichiardi,204)
agents are located at the boundaries of radio server group. This provides and update for
domains, that is, where two or more local ad certificate services for all the participat
hoc domains intersect. nodes. For an efficient certificate delivery
• Secure and efficient key management service, a ticket mechanism is introduced
(SEKM): SEKM (Wu, Wu, Fernandez, Ilyas, and used.
& Magliveras, 2005) creates a public key • Self-organized CA (SOCA) (Michiardi,
infrastructure (PKI) using a secret shared 2004): In traditional cryptographic systems,
key scheme and on top of an underlying mul- there is one sender, one receiver, and an
ticast server groups. In SEKM, a view of the eavesdropper who is the opponent. However
certificateauthorityCA) ( iscreatedby a each
SOCA is based on threshold cryptography.
0
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Threshold cryptography allows one to share Web of trust (PGP): Which is a Peer-
the power of a cryptosystem in which the based (one-to-one) system and requires
power to regenerate a secret key is shared noCertificateAuthority.PGP
among several agents (Figure 7). The ad- symmetric and public-key cryptography
vantage of this is the distributed approach schemes and includes a mechanism,
with self-organization. The downside is the which binds the public keys to the
network density. user identities.
Crypto-based ID: A crypto-based ID
There are several mechanisms, which are embed- suggests that having an identity
ded into the protocol schemes, which contribute implies being authorized, therefore no
to the robustness of security. Below is a list of a certificates areneeded.
few of these mechanisms. Context-dependent authentication:
Security Measures for Mobile Ad-Hoc Networks (MANETs)
mind, the entire protocol functionalities have been destination and to store a local trust value related
designed for security in the the network layer. Four to each node throughout the network. A trust value
of these protocols are introduced as follow: is also assigned to each path based on nodes trust
values. The paths with higher trust values are
ArIAdnE (A secure on-demand preferred and selected for routing.
routing Protocol for Ad Hoc
networks) sdsr (secure dynamic source
routing)
ARIADNE (Hu, Perrig, & Johnson, 2002) relies
onlyonhighlyefficientsymmetriccryptographic SDSR (Kargl, Geiss, Schlott, & Weber, 2005) pre-
systems and does not require a trusted hardware vents various potential (active and passive) attacks
or powerful processors. Routing messages can to the ad-hoc-based networks. It also deals with
be authenticated using ARIADNE through one selfishnodesinthefollowingscenarios:
of the following three schemes: 1) Using shared
secrets among each pair of nodes, 2) Using shared • Motivation-based approaches: Try to moti-
secrets among communicating nodes together vate network users to actively participate in
with broadcast authentication, and 3) Using digital the MANET.
signatures. ARIADNE works well with timed ef- • Detect and exclude: This scheme detects
ficientstreamloss-tolerantauthentication andexcludes
TESLA)
( selfishnodesfromtherouting
(Hu et al.,) 02which is an efficient broadcast scheme
authentication scheme that requires loose time • Mobile Intrusion Detection System (MobIDS):
synchronization, where a receiver knows an upper Focuses on integrating with other mecha-
bound of difference between sender’s local time nismsfordetectingselfishnodes.
and the receiver’s local time.
Security Measures for Mobile Ad-Hoc Networks (MANETs)
posium on Personal, Indoor and Mobile Radio Manoj, B. S., & Murthy, C. S. R. (2005, January).
Communication (PIMRC 2003), vol. 2, (pp. 1331 Transport layer and security protocols for ad hoc
-1335). Beijing, China. wireless networks. Retrieved October 7, 2007,
fromhttp:www./ phptr.com/articles/article.asp?p=
Choi, H., Song, H., Cao, G., & Porta, T. L. (2005).
8seqNum=1
4&9 1 63 &rl=1
0
Mobile multi-layered IPsec. Paper presented at
the INFOCOM. Menezes, A. J., Oorschot, P. C. V., & Vanstone, S.
A. (1996). CRC handbook of applied cryptography.
Ghazizadeh, S., Ilghami, O., Sirin, E., & Yaman, F.
CRC Press.
(2002). Security-aware adaptive dynamic source
routing protocol. ILCN. Michiardi, P. (2004, March). Security in wireless
ad hoc networks. Institut Eurecom.
Hu, Y. C., Johnson, D. B., Perrig, A. (2002). SEAD:
Secureefficientdistancevectorrouting Rhee,for
K. mobile
H., Park, Y. H., & Tsudik, G. (2004,
wireless ad hoc networks. MCSA. June). An architecture for key management in
hierarchical mobile ad-hoc networks. Journal of
Hu, Y. C., Perrig, A., & Johnson, D. B. (2002).
CommunicationsandNetworks, (2). 6
Ariadne: A secure on-demand routing protocol
for ad hoc networks. Paper presented at the MO- Wang, W., Lu, Y., & Bhargava, B. (2003, March).
BICOM. On security study of two distance vector routing
protocols for ad hoc networks. Purdue Univer-
Kargl, F. (2006, November). Threats and security
sity, CERIAS and Department of Computer Sci-
requirements for VANETs secure vehicle - com
ences.
munication. Paper presented at the C2C-CC Sec.
Workshop. Wu, B., Wu, J., Fernandez, E. B., Ilyas, M., &
Magliveras, S. (2005). Secureandefficientkey - man
Kargl, F., Geiss, A., Schlott, S., & Weber, M. (2005).
agement in mobile ad hoc networks. Elsevier.
Secure dynamic source routing. Paper presented
at the HICSS.
Key Management, National Institute of Standards
and Technology (NIST). (2001, November). Re-
kEy tErMs
trieved October 7, 2007, from http://csrc.nist.
gov/encryption/kms/Key%20Mgmt%20Guideli Access Control: This is a security mechanism to
ne%20Overview.ppt make sure that only legitimate parties have access
to the data they are supposed to have access.
Lang, D. (2003, March). A comprehensive over-
view about selected ad hoc networking routing AKDC: Ad hoc key distribution center is a
protocols (Tech. Rep. No. TUM-I0311). Technische central component in an ad hoc network responsible
Universität München, Department of Computer for providing keys to ad hoc elements.
Science.
ARIADNE: A secure on-demand routing
Lu,Q.December)
02 , ( . Vulnerabilityofwireless protocol for ad hoc networks.
routing protocols. University of Massachusetts
Amherst. Authentication: Authentication is required
to make sure communicating parties are the ones
Maleki, M., Dantu, K., & Pedram, M. (2002, who they claim to be.
August). Power-aware source routing protocol
for mobile ad hoc networks. In Proceedings of Availability: A stochastic measure of predict-
the Symposium on Low Power Electronics and ing the availability of the communication channel
Design (pp. 72-75). and resources to the users
Security Measures for Mobile Ad-Hoc Networks (MANETs)
Chapter XXXII
A Novel Secure Video
Surveillance System Over
Wireless Ad Hoc Networks
Hao Yin
Tsinghua University, China
Chuang Lin
Tsinghua University, China
Zhijia Chen
Tsinghua University, China
Geyong Min
University of Bradford, UK
AbstrAct
The integration of wireless communication and embedded video systems is a demanding and interest-
ing topic which has attracted significant research efforts from the community of tele
This chapter discusses the challenging issues in wireless video surveillance and presents the detailed
design for a novel highly-secure video surveillance system over ad hoc wireless networks. To this end,
we explore the state-of-the-art cross domains of wireless communication, video processing, embedded
systems, and security. Moreover, a new media-dependent video encryption scheme, including a reliable
data embedding technique and real-time video encryption algorithm, is proposed and implemented to
enablethesystemtoworkproperlyandefficientlyinanopenandinsecurewirelessenviron
experiments are conducted to demonstrate the advantages of the new systems, including high security
guarantee and robustness. The chapter would serve as a good reference for solving the challenging is-
sues in wireless multimedia and bring new insights on the interaction of different technologies within
the cross application domain.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
by the techniques in wireless communication, hoc wireless networks. The rest of this chapter is
video processing, embedded systems, and security organized as follows. Section 2 provides a review
guarantee. of wireless networks, ad hoc solution and security
Recent advances in embedded system and wire- issues. Section 3 presents the design and imple-
less communications are enabling cost-effective mentation for the new video surveillance system
digital wireless multimedia systems. The forth- and Section 4 evaluates its performance. Section 5
coming integration of wireless communications highlights the future trends in the relevant research
and embedded video systems is a demanding and areas. Finally, Section 6 concludes this chapter.
interesting research topic. Video surveillance has
resorted to wireless transmission due to the several
serious problems when the traditional coaxial or bAckground
high-techfiber-opticcablesareadoptedtotransmit
video images from the surveillance cameras to the wireless networks
stations at which the images are monitored and/or
recorded. Compared with the traditional wire-line Wireless technologies, in the simplest sense, en-
counterparts, wireless video surveillance systems able one or more devices to communicate without
do not require expensive and time-consuming physical connections (without requiring peripheral
system constructions and civil-engineering work. cabling). Wireless networks serve as the transport
They can therefore be deployed rapidly with negli- mechanism among mobile devices or between
gible environmental impact. Furthermore, wireless thesedevicesandthefixedwired networkse. ( g.,
systems generally require lower costs of network enterprise networks and the Internet). A wireless
maintenance, management, and operation. network has tremendous advantages in comparison
However, some fundamental issues, such as with its wired counterpart: no network cable has to
framework design of wireless networks, video beinstalledthroughwallsandoors, fl thusgreatl
processing, video data transmission, video quality reducing the cost and making the architecture
control, and system security should be resolved moreexible.
fl
before wireless video surveillance systems can be The development of 802.11g (IEEE, 2003) based
successfully deployed (Garcia-Macias et al, 2003). on the orthogonal frequency-division multiplexing
Among these important issues, the system security (OFDM) technology allows high-load applications
is the most challenging problem that becomes the to be adapted in wireless environment. It is claimed
main concern of this chapter. Intel IXP425 network that an optimal throughput of 54Mps and a range
processor provides an ideal choice for implement- up to 100 feet indoors can be achieved. As the
ing secure ad hoc video surveillance system, but signal is modulated at 2.4 GHz, it is less affected
the security issue is still a hot-spot that IXP425 by walls and physical obstacles than 802.11a (5
cannot handle well. Therefore, an effective video GHz). Thus our system is based on the 802.11g
encryption algorithm is necessary and meaning- wireless infrastructure ad hoc networks.
ful in a wireless video surveillance system. At the
same time, the secure routing protocol and system Ad Hoc Solution
architecture should be carefully designed to avoid
serious security aws fl (Yin, Lin, Sebastien,
Ad hoc& networks are a new wireless networking
Chu, 2005). paradigm for mobile hosts. Unlike traditional
This chapter explores the state-of-the-art cross mobile wireless networks, ad hoc networks do not
domains of wireless communication, video pro- relyonanyfixedinfrastructure.Instead,hostsrel
cessing, embedded systems and security, discusses on each other to keep the network connected. Ad
the challenging issues in wireless video surveil- hoc networks are designed to dynamically connect
lance, and presents the detailed design of a novel remote devices such as cell phones, laptops, and
highly-secure video surveillance system over ad PDAs. These networks are termed “ad hoc” because
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
of their shifting network topologies. Whereas allow for easy extraction, and achieve a high
wirelessLANsuseafixednetworkinfrastructure, embedding rate. The most popular application
adhocnetworksmaintainrandomconfigurations, of data embedding is digital watermark. Lots of
relying on a master-slave system connected by wire- researchworkhasbeendoneinthisfieldoverthe
less medium to enable communication between past years. Although it is worthy noting that none
mobile devices (Haas, 1999; Zhou, 1999). of the existing schemes are capable of satisfying
The system we are designing is organized in the demand for media-dependent access control in
an ad hoc manner. The nodes themselves (with wireless video surveillance system, some ideas and
camera)arecarryingtheux fl towardsthe - monitorof these digital watermark algorithms
framework
ing center, and all the routing tasks are performed are valuable and may be extended to design the
by the camera nodes. A careful deployment can desired data embedding scheme (Yin, Lin, Qiu,
sharethetrafficloadamongallthecamera Min, &nodes Chu, in press).
and effectively reduce the bottleneck effect as The classical approach to watermark com-
compared with an architectural network. It is also pressed video stream is to decompress the video,
the cheapest solution as there is no need of extra then use a spatial-domain or transform-domain
networking hardware besides the cameras, network watermarking technique to embed the watermark
processors, and the monitoring center. into the video signal, and finally recompress the
However, the design of ad hoc architecture is watermarked video. Alattar, Lin, and Celik (2003)
complex because of the routing and security is- point out three major disadvantages of using the
sues. In a monitoring system, the node positions classical approach and further present a faster and
are static and predetermined by the topology of moreexiblefl approachtowatermarkcompressed
the building. The cameras are in a nonprotected video named as compressed-domain watermark-
environment, and they are susceptible to be dam- ing. With this approach, the original compressed
aged or even destroyed. Thus it would be preferable video is partially decoded to expose the syntactic
if every node has at least two direct neighbors on elements of the compressed bitstream (such as
the way towards the monitoring center so that the encoded discrete cosine transform [DCT] coef-
system can still work properly in case some camera ficients) that is modified to insert the watermar
nodes are faulty. and reassembled to form the compressed water-
marked video.
Security Issues Patchwork (Bender, Gruhl, Morimoto, & Lu,
6)9 and
1 quantization index modulationQIM) (
Among the issues the wireless solution face, the (Chen & Wornell, 2001) are the two known tech-
system security is the most challenging problem. niques for the embedding algorithm. Patchwork
The NIST handbook An Introduction to Computer (Bender et al., 1996) is a statistical scheme based on
Securitygenericallyclassifiessecuritythreats a pseudorandom intoand statistical process. Patchwork
nine categories ranging from errors and omissions is host image independent and can invisibly embed a
to threats to personal privacy (Basgall, 1999). All specificstatisticpatterncomposed ( ofseveralpa
of these represent potential threats in wireless of specific pixels) in a host image with aGaussian
networks as well. However, the more immediate distribution. It shows reasonably high resistance
concerns for wireless communications are device to most nongeometric image modifications. But
theft, denial-of-service, malicious hackers, mali- the major disadvantage is that only one bit can be
cious code, theft of service, and industrial and embedded in one frame. Moreover, this algorithm
foreign espionage. operatesspecificpairsofpointsandthestructu
Data embedding techniques allow for a signal of video bitstream is changed by some adaptive
to be hidden without dramatically distorting the processes such as transcoding. So during the de-
original content. Effective data embedding tech- tecting procedure these pairs of points at the same
niques should be able to invisibly embed data, position are not the same as the original, or even
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
out of borders due to the change of image size. As AODV is an on-demand protocol. Each node
a result, the extracted data are likely to be wrong. maintains its routing table only for the routes they
Our proposed scheme is based on the statistical actually use to communicate with other nodes.
property of the luminance value, but differently If a node wants to initiate a new communication
we use image fields instead of pairs of points with anothertonode that is not in its current rout-
overcome above mentioned problems. ing table, a route request (RREQ) is broadcast.
ChenandWomellpropose ) 1 02 ( aQIMscheme If a node receives such a request, it looks up its
for efficiently embedding and drawing out data.tabletofindwhetherthereisapathtot
routing
QIM method embeds information not simply by
destination nodes. If there exists a path, it replies
adding numbers to the host signal, but by first
a route reply (RREP); otherwise, it broadcasts the
modulating an index of sequence of indices with RREQ.IfanodereceivesthesameRREQtwice,it
the embedded information and then quantizing simply discards the message. Routes are maintained
the host signal with the associated quantizer or in the routing table as long as they send packets.
sequence of quantizers. During the detecting pro- If nothing is received after a predefined timeout
cedure, the embedded information is determined value, the corresponding route entry is deleted. In
by judging the minimum distance between the case of nodes failure, neighbors on the active path
embedded signal and different quantized results. send a special RREP to the source which can start
It is known that the QIM method is better a new paththandiscovery phase. Neighbor’s discovery
additive spread spectrum and generalized low-bits is done either by local broadcasting of HELLO
modulation (LBM) not only from the point of rate messages or by receiving a broadcast message from
distortion-robustness tradeoffs, but also against a neighbor given that the links between nodes are
bounded perturbation and fully informed attacks bidirectional.
arising in several copyright applications. Since Perkins and Royer (1999) try to avoid relying
requantization is carried out in the transcoding on the underlying MAC-layer protocol, but no
procedure and the quantizers are different from solution has been proposed to avoid the overhead
the ones used in video encoding process, lots of created by the HELLO message. In our system
computational errors are produced and the detec- the routing protocols are coupled with the address
tion is likely failed. Our scheme improves the resolution protocol (ARP) protocol as described
QIMbyproposinganapproachtoaltertheby average
Desilva and Das (2000) so that we can avoid
luminancevalueoffields. broadcasting HELLO messages. In addition, it
is preferred to implement the routing protocol at
Routing Protocol link layer due to the following reasons (Johnson,
Maltz, & Broch, 2001):
In recent years, a large number of ad hoc routing
protocols have been proposed in the literature • Pragmatically, running the protocol at the link
(Broch, Maltz, Johnson, Hu, & Jetcheva, 1998; layer maximizes the number of mobile nodes
Perkins & Royer, 1999; Per, 1999; Samir, Perkins, that can participate in ad hoc networks.
& Royer, 2000). In all these studies, two on-demand • Historically, the protocol has grew from a mul-
routing protocols show good performance: ad hoc tihop propagateing version of the Internet’s
distance vector (AODV) (Perkins & Royer, 1999) address resolution protocol (Plummer, 1982),
and DSR. In a scenario where a high volume of as well as from the routing mechanism used
traffic goes through a static ad hoc network (by 802 source routing bridges (Perlman,
in IEEE
staticwemeanthatthenodesconfigurationdoes 1992).
not change or changes slowly), AODV performs • Technically, our design would expect the pro-
better than DSR due to less additional load being tocol to be simple enough so that it could be
imposed by source routes in data packets. Therefore implementeddirectlyinthefirmwareinside
our system is based on the AODV protocol. wireless network interface cards, well below
the layer 3 software within mobile nodes.
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
Figure1.FrameworkofIntel®IXP425
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
0
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
Figure 3. Real-time key embedding and key detecting process, Ki is the 128-bit key information used to
encrypt the video content
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
Figure 4. The redundant GOPs used in key updating process. From GOPi+1 to GOPi+3 there are three
GOPs that contain the redundant key messages
system security Management has built in capabilities for extension headers. The
secure ad hoc distance vector (SAODV) protocol
To develop a secure wireless video surveillance is a proposal by Zapata (2005) for such extension
system, it is necessary to develop an effective headers. The extensions are used to send signatures
video encryption algorithm, and meanwhile the andhashvaluesthatarelaterusedforverificat
secure routing protocol and system architecture of the routing packets. The SAODV is not meant to
should all be carefully designed to avoid serious yield any confidentiality since this is usually no
securityaws. fl needed or desired in general ad hoc networks. The
protocol does provide means to get authentication,
Confidentiality integrity, and nonrepudiation of the routing control
packets. The protocol extensions use asymmetric
Data confidentiality is usually assured - by ento achieve authentication by signing
cryptography
cryption. However, encryption introduces large the data packets with the private key. This allows for
computational overhead. In stringent environment the destination node and all intermediate nodes to
like real-time video transmission, encryption can validate the request. Also, this allows for the nodes
become the system bottleneck and it is the common to be certain that no one has altered the packets.
knowledge that full video stream encryption is not However,somefieldsofthepacketsmustchange
a good choice (Liu & Eskicioglu, 2003). Our video and these are signed as if they were zeroed out.
selective encryption algorithm takes advantage of Toallowforverificationofthehopcountfield,a
the properties of monitored video to achieve secure, one-way hash chain is utilized. The initiator of the
real-time encryption. route request decides a max hop count, such as 10
If the routing messages are not protected, eaves- or 15. It also generates a random value which is sent
droppers may discover the network topology by asthehashforthefirsthopcount.Thevalueisalso
listening to the routing information and then attack hashed the max hop number of times producing a
the most active notes in the network. Topology so-called top hash. Each node can verify the hop
information disclosure is not a threat by itself, but count by checking that the incoming hash value
itcanmakeotherattacksmoreefficient. However,
hashed max hop count minus the current hop count
encrypting routing information could greatly number of times is equal to the top hash. Since the
increase the overhead. The basic AODV protocol top hash value is not changed, and thus signed,
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
this provides the means to authenticate even the Reactive Protection Scheme
mutable hop count.
The SAODV extensions allow for two different The ad hoc environment is usually considered as
waysfornodestoreplytoarouterequest. Thefirst
physically insecure. For instance, cameras can
way is to only allow the destination to reply. In easily be stolen or corrupted. A corrupted camera
this way the protocol works as described above. node can be used as a Byzantine enemy (Lamp-
The destination node creates a route reply and ort, Shostak, & Pease, 1995) to attack the rest of
signs it using its own secret key. The route reply the network. However, resources in the ad hoc
is sent according to the usual AODV and each network are limited due to the embedded nature
intermediate node can verify the reply and discard of the nodes; especially computational power is
it if not valid. This approach does not consider the system bottleneck. In this situation, signing
the possibility of having intermediate nodes reply every packet between every node is not realistic
directly if they do have a valid route already. To for real-time multimedia streaming. Besides, if a
add the ability for route discovery optimization a malicious entity controls a node, it also controls the
double signature scheme is devised. For each route authentication keys, and systematic authentication
request a second signature is added to the packet. is not useful against this type of attack.
This signature is stored in each intermediate node In our system only routing protocol messages
when they set up the reverse route. Later on, when are systematically signed and time-stampeded
a new route is needed because of node movement to avoid basic attacks such as erroneous routing
between the two peers an intermediate node that packetooding.fl Topreventmoresubtleattackslike
still has a route can reply directly by also includ- grey hole or session hijacking, we use the existing
ing the second signature and the original signature knowledge about the data stream (e.g., continuity,
(Yin et al., 2005). In addition to this, the actual life stability,fixedlength,etc.)todetectmisbehavior
time is also sent in the reply which is signed by the in the trusted network. Nodes which have detected
intermediate node that sends the reply. misbehaving peers break the routing roads coming
fromthesuspectednodessothatfurthertraffic
Authentication ignored until a new (authenticated) road request
is broadcasted. The level of intrusion detection
The host-to-host authentication between the camera capability depends on the computational power.
and the monitoring center is achieved by data en- The system would have a misbehaving threshold
cryption. But in ad hoc networks, we also have to beyond which the system will cut itself from the
consider the problem of neighbors’ authentication, rest of the network. The level of the threshold and
as nodes are “observing” the external world though the way to isolate the node from the network is
the “eyes” of its neighbors. The neighbors must be worth further investigation.
authenticated before any other communication can
be initiated. In a nonauthenticated environment, Key Distribution
external nodes can insert themselves in the data path
and then collect, disrupt, or corrupt the information The key distribution solution proposed by Luo et
using man-in-the-middle or black and grey holes al. (2002) has been chosen to safely distribute and
attacks. To reduce the effect of computational power refresh encryption keys and periodically check in-
consumption attack, the authentication scheme is tegrity of the camera nodes. This protocol is based
performed at link layer. Neighbors’ authentication on the threshold share secret revealed by Shamir
isassuredbyacertificated-basedapproach - Stall
( improves the shares refreshing proposed
(1979) and
ings, 1999) which provides practical solutions for by Herzberg, Jarecki, Krawczyk, and Yung (1995).
data integrity, authentication, and nonrepudiation. The system is based on RSA public key signatures.
The practical protocol is presented by Luo, Zerfos, Eachnodegetsasimplecertificateintheform<
Kong, Lu, and Zhang (2002). vi, pki, Tsign, Texpire> where vi is the identification
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
number of the nodes, pki is the public key, Tsign is of our system. Intel IXP425 is a member
the time that the certificate is created,
Texpire and IXP4XX product line of network
of Intel’s
isthecertificateexpirationtime. processor, for small-to-medium enterprise,
consumer, and other edge network ap-
plications. Like Intel’s high-end network
systEM PErforMAncE processors IXP2k series, IXP425 is also a
EvAluAtIon multicore system that employs system-on-
chip (SoC) techniques to support multiple
This session will test the performance of the system WAN and LAN technologies in a highly
we designed and meanwhile introduce one approach integrated and versatile architecture. The
to evaluate such system, which may be applied to Intel XScale core at up to 533 MHz provides
general wireless video surveillance systems. headroomforcustomer-definedapplications.
It also supports a single-instruction stream
testing Environment multiple-data stream (SIMD) coprocessor
for multimedia application acceleration. In
The testing procedure involves three steps. First our system, video encoder and watermark
we evaluate the video encoding and encryption embedding are performed on XScale with
algorithms, along with the basic network stack optimization towards the SIMD coprocessor.
evaluation on a single link. In the second step, Three network processor engines (NPEs),
we measure the performance of a node for trans- like a micro-engine of IXP1k, 2k network
mitting traffic to other nodes. The thirdprocessors, step is aare designed to complement the
simulation study of a large scale network in order to Intel XScale core for many computationally
analyze how the system evolves when the number intensive data plane operations. These tasks
of cameras increases. include IP header inspection and - modifica
tion,packetfiltering,packeterrorchecking,
• Single node capability: The testbed is com- checksumcomputation,andag fl insertionand
posed of an IXP425 network processor and removal. The NPE architecture includes an
its evaluation board. The network interface ALU, self-contained internal data memory,
of the camera node is a wireless 802.11g and an extensive list of I/O interfaces, together
compatible network interface. A desktop with hardware acceleration elements. The
computer equipped with the same network hardware acceleration elements associated
interface is used to stand for the monitoring with an NPE targets a set of networking
center and to test the video decryption and applications. Each hardware acceleration
playback. element is designed to increase the speed
• Routing capability: A set of low cost com- of a specific networking task that would
puters is equipped with wireless network otherwise take many MIPS to complete by
interface and generates traffic towards a standalone
theRISC processor. Among these
tested node. Different physical dispositions functions, cryptographic hardware accelera-
are set to test one-hop and multihops routing tors (SHA-1, MD5, DES, 3DES AES) in NPEB
performance. are used in our application for selected video
• Scalability: Large scale experiments are very encryption.
challenging because they require too many
hardware. We plan to use the results obtained Experiments on key Embedding
from Steps 1 and 2 to build a realistic model of Algorithm
the node and simulate a large scale system.
• Nodal processor: Intel IXP425 network This subsection focuses on the performance evalu-
processor is chosen as the nodal processor ation of the key embedding algorithm in a wireless
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
environment. The algorithm is implemented on the video. Obviously, the modulation cycle is the most
platform of Intel IXP425 network processor. important factor that affects the quality of the video
We use two MPEG-2 test sequences, dinosaur sequence. When the modulation cycle is no larger
and live-captured video, which are both encoded than 4, the distortion derived from key embedding
at 640x480 size and 20fps using 500 frames. The can be neglected. Figure 6 illustrates the PSNR
sequences are selected because of their different of the dinosaur sequence at the receiver side. It is
characteristic in motion and scene change. Dino- worth noting that that the larger modulation cycle
saur contains fast motion and scene change, while can degrade not only the PSNR, but also introduce
live-capturedvideocontainsslowmotion fl andfixed
PSNRuctuation, whilemodulationcyclelessthan
scene. Besides, we should face the challenge derived 4 can provide a good quality of video.
from packet loss and bit error. We test the system Figure 7 illustrates the number of error bits
in a real wireless network environment. The last found in the detection of all the 200 bits in a frame
module is a key detecting and decoding module, against the modulation cycle C. The downscaling in
which contains selective encryption algorithm, the transcoder reduces half of the width and height
MPEG-4 decoder, and the key embedding algo- of the original video. This procedure reduces the
rithm. They are used to decrypt the bitstream using blocks in each field, but does not have too much
old session key, and then detect the embedded key impact on the detection quality. However, it can
messages and decode the compressed video into be seen that the requantization greatly impacts the
playback video. detection quality when the modulation cycle is less
Based on this platform, we conduct a series of than 3. As shown in Figure 7, when the quantizer
experiments to evaluate the system performance in the requantization (denoted by “new quantizer”
(Yin et al., 2005). The source-coding distortion in the figure) is higher and the quantizer in the
introduced by our key embedding algorithm is source encoding (denoted by “old quantizer” in
illustrated in Figure 5. The video clip is MPEG-2 this figure) is closer to half of “new quantizer,”
encoded with different modulation cycle. It is then more error bits appear in the detection procedure.
transcoded and decoded by MPEG-4 decoder. All When the modulation cycle is more than 4, errors
the four pictures are selected from the playback have almost disappeared.
Figure5.Theeffectofsecuritymanagementonvideo
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
FigureThe
.6 PSNRofframesandtheprobability of 7. Average error bits in total 200bits embed-
Figure
successfully detecting 200 bits in a frame changed ded in an I-frame after transcoding with different
with the modulation cycle at the receiver modulation cycles and quantizers
Figure 8. Average error bits in total 200bits of a GOP by using different packet loss rates, (a) RS code
isnotused,while(b)RS(25,17)codeisused
(a) (b)
Figure 8 reveals the average error bits when packets leads to some error bits of the extracted
receiving 200 bits data vs. the packet loss rate in key message.
the network. It can be seen that the extracted data As for the coding speed, Table 1 shows the
error rate in a GOP rises as the packet loss rate coding time between the key embedded coding
increases. Usually the bitstream of an I-frame is scheme and pure MPEG-2 encoder without data
divided into more than 10 packets for transmis- embedding.Wecanfindthataftertheintroduction
sion in the network. As a result, key information of the key embedding algorithm, the processing
is distributed into all the packets and the loss of time is only increased by around 6%.
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
simulation of routing Protocols ated (we do not consider the effect of reverberation
againstobstacleshere)The . figureshowsthatthe
Preliminary simulations on AODV have been con- monitoring center is the bottleneck of the archi-
tecture. This is inevitable in a monitoring system
ducted in order to validate the choice of the routing
where all the streams are converging in one point.
protocol. The objective here is to have a qualitative
However, this phenomenon implies that the over-
evaluation of the routing protocol. Simulations have
been conducted using NS2 simulator. all capacity is limited by the performance of the
The arrows in Figure 9(a) represent the streammonitoring center.
paths and we can see that the nodes are choosing
the shortest paths to reach the monitoring center
in order to reduce the number of hops per path in futurE trEnds
comparison with an architectural network.
Figure(b)9 revealsthevolumeoftrafficreceived With the continuing need for video surveillance
by each node in the scenario where a few cameras inbothfixedandremotelocations,newadvances
areplacedatdifferenceoors fl inabuilding andthe
in wireless networking would enable the develop-
distance between the nodes are greatly exagger- ment of a more secure, highly reliable wireless
video network capable of supporting real-time
high speed, high resolution video, and meanwhile
Table 1. Complexity of the key embedding algo- maintaining the highest levels of data and network
rithm security without impacting the video stream. Tech-
nical trends and key issues in the wireless video
Sequence Dinosaur Live-captured system may include:
Encoding speed without
35.45 37.27
embedding (frame/sec)
• Load balanced routing protocols: One
Encoding speed with problem of the routing protocol is that it is
33.50 35.00
embedding (frame/sec)
not reactive to the load in each node. Under
Increased processing time (%) 5.8% 6.5%
the particular topology, if a node has a more
critical location than others, a large por-
tion of the traffic may converge toward the
Figure 9(a). Topology of a small monitoring node and it may probably collapse under the
system heavytraffic.Itwouldbemoredesirablefor
an ad hoc network that the routing protocol
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
fairly distributes the traffic load videoamong the algorithm, has been proposed
encryption
nodes. and implemented to enable the system to work in
• Local misbehavior detection system: The an open and insecure wireless environment. The
system also needs to detect misbehaving presented system offers several unique advantages:
neighbors. Only a few recent studies (e.g., (1) it provides high security guarantee; (2) it does
Kargl, Klenk, Schlott, & Weber, 2005; Marti, not require expensive access points/routers; (3) it
Giuli, Lai, & Baker, 2000) have been con- can be readily deployed since it is built upon the
ductedandreportedinthisfield.existing Besides, in ad hoc infrastructure; and (4) it is
wireless
our case, misbehavior detection capability robust in the presence of and adaptive mechanism
is limited by the computational power of the and error-prone channel. This chapter would serve
nodes. We hope to find an adaptive - mecha
as a good reference for solving the issues of wire-
nism to suit our applications. less multimedia and would bring new insights on
• Scalability: As demonstrated by the the interaction of different technologies within the
simulation results of our network layer, the cross application domain.
monitoring center, as the only nondistributed
component, is the bottleneck of the system.
Some solutions must be found to scale the AcknowlEdgMEnt
network size as far as possible.
This work was supported in part by grants from
the National Natural Science Foundation of China
conclusIon (No.60673184, No. 60432030, No.60429202,
No.90412012), national 863 program of China
A distributed video surveillance system typically (No. 2007AA01Z419) and Microsoft Joint lab
consists of many video sources distributed over funding.
a wide area, transmitting live video streams to a
central location for processing and monitoring.
However, in the traditional wire-line solution, rEfErEncEs
the deployment and maintenance of large-scale
video surveillance system are often expensive Alattar, A.M., Lin, E.T., & Celik, M.U. (2003).
and time-consuming. Thus there have been hot Digital watermarking of low bit-rate advanced
interests in wireless solution. But the practical simpleprofileMPEG- 4compressedvideo. IEEE
implementation of wireless surveillance system Transaction on Circuits and Systems for Video
still faces the challenges of framework design of Technology, 13(8), 787-800.
wireless network, video processing, video data
transmission, video quality control, and system Allman, S. (2002). Encryption and security: The
security. Among them, the system security is the advanced encryption standard. EDN (pp. 26-30).
most challenging problem and also is the main Retrieved October 7, 2007, from http://www.edn.
concern in this chapter. com/article/CA2html?ref=nbsa
. 98 7 3 5
This chapter has presented the state-of-the- Basgall. (1999). Experimental break-ins reveal
art cross domains of wireless communication, vulnerability in Internet, Unix computer secu-
video processing, embedded systems, and security, rity. Retrieved October 7, 2007, from http://www.
through the design of a new secure video surveil- cs.duke.edu/news/index.php?article=16
lance system. This system is based on the 802.11g ad
hoc wireless infrastructure. Intel IXP425 network Bender, W., Gruhl, D., Morimoto, & Lu, A. (1996).
processors are used as the basic processing unit. A Techniques for data hiding. IBM System Journal,
media-dependent video encryption scheme, includ- 38(3-4), 313-316.
ing reliable data embedding technique and real-time
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
Borisov, N., et al. (2003). Intercepting mobile com- wireless ad hoc networks. Ad hoc networking (pp.
munications: The insecurity of 802.11. In Proceed- 139-172). Addison-Wesley.
ings of MOBICOM 2001 (pp. 180-189).
Kargl, F., Klenk, A., Schlott, S., & Weber, M.
Broch, J.D., Maltz, A., Johnson, D.B., Hu, Y.-C., &. (2005). Advanceddetectionofselfishormalicious
Jetcheva, J. (1998). A performance comparison of nodes in ad hoc networks. Paper presented at the
multi-hop wireless ad-hoc network routing proto- First European Workshop on Security in Ad-hoc
cols. Mobile Computing and Networking, 85-97. and Sensor Networks (LNCS 3313, pp. 152-165).
Chen, B., & Wornell, G.W. .) 1 02 ( Quantiza - Lamport, L., Shostak, R., & Pease, M. (1982). The
tion index modulation: A class of provably good Byzantine generals problem. ACM Transactions
methods for digital watermarking and information on Programming Languages and Systems, 4(3),
embedding. IEEE Transaction on Information 382-401.
Theory, 47(4), 1423-1443.
Liu, X., & Eskicioglu, A. (2003, November 17-19).
Desilva, S., & Das, S.R. (2000). Experimental Selective encryption of multimedia content in
evaluation of a wireless ad hoc network. In Pro- distributed networks: Challenges and new direc-
ceedings of the th
9
International Conference on tions. Paper presented at the IASTED International
Comp. Comm. & Networks (pp. 528-534). Conference on Communications, Internet and
Information Technology (CIIT 2003), Scottsdale,
Garcia-Macias,J.A.et , al.Quality
. ) 30 2 ( ofser -
AZ.
vice and mobility for the wireless Internet. ACM
WirelessNetworks, ,9
341-352. Luo, H., Zerfos, P., Kong, J., Lu, S., & Zhang, L.
(2002). Self-securing ad hoc wireless networks.
Haas, Z. J. (1999). The Performance of the zone
In Proceedings of the Seventh IEEE Symposium
routing protocol in reconfigurable - wireless net
on Computers and Communications (ISCC ‘02)
works. Special Issue on Wireless Ad Hoc Network,
(pp. 567-574).
IEEE Journal on Selected Areas in Communica-
tions, 17(8). Marti, S., Giuli, T.J., Lai, K., & Baker, M. (2000).
Mitigating routing misbehavior in mobile ad hoc
Herzberg, A., Jarecki, S., Krawczyk, H., & Yung,
networks. In Proceedings of International Confer-
M. (1995). Proactive secret sharing or: How to cope
ence on Mobile Computing and Networking (pp.
with perpetual leakage. Lecture Notes in Computer
255-265).
Science,,339.
3 69
Perkins, C.E., & Royer, E.M. (1999). Ad-hoc on-
IEEE. (2003). 802.11g IEEE Std 2003. Retrieved
demand distance vector routing. In Proceedings
October 7, 2007, from http://grouper.ieee.org/
of the 2nd IEEE Workshop on Mobile Computing
groups/802/11/
Systems and Applications, New Orleans, (pp.
Intel. (2006). Intel® IXP425 network processor. 90-100).
Intel product brief. Retrieved October 7, 2007,
Perlman, R. (1992). Interconnections: Bridges and
from http://www.intel.com/design/network/prod-
routers. Reading, MA: Addison-Wesley.
ucts/npfamily/ixp425.htm
Plummer, D.C. (1982, November). An Ethernet ad-
Johansson, P., Larsson, T., Hedman, N., Mielcza-
dress resolution protocol: Or converting network
rek, B., & Degermark, M. (1999). Scenario-based
protocol addresses to 48.bit Ethernet hardware
performance analysis of routing protocols for
(RFC 826).
mobile ad-hoc networks. In Proceedings of ACM
Mobicom’99 (pp. 195-206). Samir, R.D., Perkins, C.E., & Royer, E.E. (2000).
Performance comparison of two on-demand rout-
Johnson, D.B., Maltz , D.A., & Broch, J. (2001). DSR
ing protocols for ad hoc networks. In Proceedings
the dynamic source routing protocol for multihop
of IEEE INFOCOM (pp. 3-12).
A Novel Secure Video Surveillance System Over Wireless Ad Hoc Networks
0
Chapter XXXIII
Cutting the Gordian Knot:
Intrusion Detection Systems in
Ad Hoc Networks
Amitabha Das
Nanyang Technological University, Singapore
Boon-Chong Seet
Auckland Univerisity of Technology, New Zealand
Bu-Sung Lee
Nanyang Technological University, Singapore
AbstrAct
Intrusion detection in ad hoc networks is a challenge because of the inherent characteristics of these
networks, such as, the absence of centralized nodes, the lack of infrastructure, and so forth. Furthermore,
in addition to application-based attacks, ad hoc networks are prone to attacks targeting routing proto-
cols. Issues in intrusion detection in ad hoc networks are addressed by numerous research proposals in
literature.Inthischapter,wefirstenumeratethepropertiesofadhocnetworkswhic
detectionsystems.Afterthat, significant
intrusion detection system (IDS) architectures and methodolo-
gies proposed in the literature are elucidated. Strengths and weaknesses of these works are studied and
are explained. Finally, the future directions which will lead to the successful deployment of intrusion
detection in ad hoc networks are discussed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
characteristics of ad hoc networks. Chief among ad hoc IDS architectures and methodologies. They
the characteristics, which affect the design of an offer an extensive analysis and understanding of
effective security framework for such networks, IDS in ad hoc networks. A comprehensive compari-
are the highly distributed, decentralized, and son between various proposed intrusion detection
dynamic natures of ad hoc networks. These prop- systems for ad hoc networks are discussed. Selected
erties, coupled with the lack of infrastructure in architectures and detection strategies explained by
ad hoc networks, introduce some unprecedented Mishra et al., which were found significant, are
issues, which are absent and never been explored detailed in this writing.
in conventional networks. Zhang, Huang, and Lee (2005) propose an
A typical security system consists of two major evaluation environment for MANET (mobile ad
components.Thefirstistheintrusion prevention
hoc network) intrusion detection systems. They
mechanism that aims to control access to the system emulated routing attacks and evaluated applica-
and relies mainly on cryptographic techniques. tion-based intrusion detection architectures over it.
The second one is the intrusion detection system The work introduces a novel concept of evaluating
that tries to detect if the prevention mechanism has ad hoc IDS models using known attacks. Routing
been compromised by intruders, and if so, come attack libraries are used, which exhibit attack
up with an appropriate response to combat such scenarios over the IDS model under-evaluation.
intrusions. The intrusion detection system (IDS) The IDS models are evaluated for operational cost
thus forms the second line of defense (Nadkarni and effectiveness. Detection accuracy and false
& Mishra, 2003). alarms are the primary evaluation parameters for
Cryptographic techniques rely on secure key assessing of the IDS model, in terms of detection
management and key distribution which require effectiveness.Theworkissignificantinproviding
supporting infrastructure. The lack of infrastruc- a test-bed for ad hoc IDS models. Similarly, Little
ture makes it extremely difficult to(2005) implement
proposes a test-bed called TeaLab for ad
cryptographic access control mechanisms in ad hoc IDS design.
hoc networks. This makes intrusion detection all Concurrent to simulation-based ad hoc test-
the more important for such networks. However, beds, Yang and Baras (2003) mathematically
it turns out that the inherent characteristics of ad analyze vulnerabilities in ad hoc networks. The
hoc networks render conventional IDS unsuitable authors provide a great deal of understanding to the
for such networks. This has spawned the research attack possibilities in ad hoc domain. Mathematical
in ad hoc IDS design (Brutch & Ko, 2003). methodsfindattacksexhaustively. - Inthistheore
This chapter illustrates the difficulties in attacks are hypothesized.
cal analysis all possible
providing an efficient intrusion detection system vulnerability analysis aids
This comprehensive
for ad hoc networks. In doing so, it discusses in the design of an effective ad hoc IDS design.
detail interesting ad hoc IDS models proposed in
literature. The strengths and weaknesses of these
models are explained and promising future direc- cHArActErIstIcs of Ad Hoc
tions for cutting the Gordian knot of ad hoc IDS nEtworks
are discussed.
Ad hoc networks differ from native wired/wireless
networks in various aspects. These unique charac-
bAckground teristics of ad hoc networks render typical security
systems unsuitable ( Awerbuch, Curtmola, Holmer,
Although various analyses on intrusion detection Rubens, & Nita-Rotaru, 2005; Papadimitratos &
mechanisms can be seen in the literature, only Haas, 2002). The fundamental concept of ad hoc
fewqualifyassignificant.Mishra,Nadkarni, andis to have seamless connectivity without
networks
Patcha (2004) give a detailed overview of various infrastructure or centralized control. The lack of
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
infrastructure and a centralized control node makes following are additional factors which also affect
it hard for security systems to be implemented. ad hoc network security design, but to a lesser
Furthermore, factors such as mobility, physical degree.
protection, and so forth affect the design of effec-
tive security models for ad hoc systems. These wireless links
factors are enumerated below.
In respect to security, wireless links are the weakest.
lack of Infrastructure This is due the omnipresence of wireless channel
and ease of physical access to the channel. Attacks
Ad hoc networks do not have a fixed infrastruc - such as eaves-dropping, active masquerading, and
ture. Typically, in conventional networks, the so forth are more possible in wireless networks
infrastructure provides a secure location for the than in a wired network. Furthermore, the most
implementation of critical security mechanisms notorious of all attacks, the denial-of-service
(Debar, Dacier, & Wespi, 1999). Due to the ab- (DoS) attacks, can be achieved easily in wireless
sence of infrastructure, ad hoc networks do not networks by jamming the wireless channel or by
provideasafeandefficientlocationto implement
routing attacks.
the security system. Additionally, operations such
as control, maintenance, and other administrative Poor Physical Protection
functions have become hard in a distributed and
infrastructure-less network. The only and apparent Usually, the nodes in an ad hoc network are mo-
resort is to install these critical modules in end-user bile and easily accessible physically. This raises
nodes. Implementing critical security systems in concerns of physical protection of these devices. A
unreliable end-user nodes pose a real challenge. single compromised node can bring down the entire
network due to its prerogatives in the network.
Absence of a central Authority
Energy constraints
Conventional network have traffic - concentra
tion areas, otherwise called choke points, where Since ad hoc network nodes are mostly mobile and
security systems can be placed and implemented wireless, energy constraints are also a security
efficiently.Controlnodesareplacedinissue. these choke
Typical symmetric encryption algorithms
points to monitor and control the network. Ab- such as 3DES (triple data encryption standard),
sence of centralized authority makes the network ADES (advanced encryption standard), and asym-
monitoring and control a challenging issue for ad metric encryption algorithms such as RSA (Rivest,
hoc networks. Shamir, and Adleman) and its variants incurs high
Every node in an ad hoc network has equal computation which may drain the battery of the
responsibility in network functions, such as routing, mobile node. Additionally, rnergy-targeted attacks
maintenance, and so forth. This unique charac- such as SDT (sleep deprivation torture), which
teristic will distribute the control authority to all aims to drain the mobile node’s battery, also need
nodes in the network. Nodes have to rely on other consideration while designing ad hoc security
neighbor nodes for routing and data forwarding. In system (Jacoby, Marchany, & Davis, 2004).
other words, nodes have to trust neighbor end-user
nodes for critical functions. As neighbors can be Unsuitability of Static Configurations
potential attackers, trusting unknown neighbors
is precarious to the integrity of security and other The obvious and immediate security solution for
critical systems. infrastructure-less and decentralized network is to
The above two issues are the crux of the secu- provide static security systems installed in nodes.
rity concern in the ad hoc network paradigm. The Ad hoc networks are mostly implemented over
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
over the network. Passive attacks such as route at a point of time in the future. In other words,
monitoring and so forth try to eavesdrop for steal- a malicious behavior highly resembles another
ing sensitive information (Kong, Hong, & Gerla, benign behavior. Therefore, intrusion detection
To
.) 302 illustratesomeofthedifficultiesbecomes andtovery challenging.
familiarize routing insecurity in ad hoc networks,
a trivial attack scenario is considered.
Let us examine route invasion, which is a trivial IntrustIon dEtEctIon
but destructive attack. In Figure 1(a), the benign tEcHnIquEs
route between S and D is through 1. In Figure
1(b), Node M sends a malicious routing control Intrusion detection systems are mechanisms which
message, stating that it has a better route to D than provide a “second wall of defense” (Nadkarni &
throughNodeThis .1 modifiesthepath DforSMishra, 2003) for the network system. In other
from S 1 D to S M 2 3 D. The words, IDS is a backup, in case the frontline security
modifiedpathisnotonlyinefficient;itincludes mechanismsthe fail. Therefore, IDS fundamentally
malicious Node M into the path. This extends the assumes that cryptographic systems do not prevail
attack possibilities for the malicious node M on or have failed. As mentioned earlier, IDS in ad
node A or B. To thwart intrusion detection, Node M hoc networks cannot trust information from other
canimpersonateNodeand 1 canprovidefalsified
nodes. This limits the knowledge sharing between
routing information which supports its cause. the nodes. Knowledge in IDS is the new benign/
Due to the absence of centralized authority and malicious behavior patterns. Typical systems use
infrastructure, Node S has no trusted arbiter to get an arbiter (centralized) node to facilitate knowledge
advice regarding whether the announced path is sharing. However, the absence of any centralized
benign or otherwise. Malicious Node M has free node in ad hoc networks renders knowledge shar-
access to the wireless channel and can exhibit ing unreliable. Unreliable information in a security
anonymous routing attacks over S. system is worth no information at all.
Static crypto systems fail here, due to poor Conventional IDS are functional in application
physical protection, energy, and delay constraints. layer and monitor and detect malicious behavior
In the absence of centralized authority, dynamic exhibited by applications, such as, telnet, FTP,
crypto systems are not possible. Critical security SMTP, and so forth. In rare cases, relatively
systems such as key management, admission/ac- simpleIDS,suchasfirewallsareimplementedin
cess control, and authentication become hard to the IP layer. However, ad hoc networks’ necessity
implement due to the lack of infrastructure. Analo- for routing security has brought forth the need to
goustoIPspoofing,adhocroutingprotocols areIDS, which monitors and detects rout-
implement
prone to spoofing. However, unlike IP, spoofing ing protocols, such as AODV, OLSR, DSR, and so
in ad hoc networks is done at the routing protocol forth. An IDS design for a routing protocol is an
rather than the IP. Generically, ad hoc security unexplored area of research. The requirements of
needstopreventordetectspoofing.However, IDS for atherouting protocol differ vastly from the
issue is more serious than in IP, since the target of conventional IDS mechanisms.
the attack is the routing protocol itself. Research in ad hoc IDS design is still in the
Mobility and transient associations and dy- rudimentary stages. Some research works (Hi-
namicity make the detection of malicious routing jazi & Nasser, 2005) on ad- hoc IDS, which try
control messages impractical. In the above example, to cut the Gordian knot, follow strongly the IDS
Node S will not be able to determine with its local design methodologies of native IDS counterparts.
knowledge whether Node M is on a shortest route In addition, most of the IDS models proposed in
to D or acting maliciously. Because, even if Node the literature focus on application-level IDS. The
M is not on a shortest/optimal path to Node D assumption that application level IDS for ad hoc
now, due to changing topology, that may change network will suffice are the major weakness of
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
these works. Therefore, though these IDS models ing methodologies: misbehavior detection and
consider ad hoc network characteristics and provide anomaly detection. Misbehavior detection uses
a decentralized and distributed IDS, they fail to known malicious behavior patterns for comparison
address the routing insecurity. at the detection module. Anomaly detection uses
Zhang, Lee, and Huang (2003) propose a known normal behavior patterns and measures the
distributed and decentralized IDS system at the deviation of the node’s behavior from the known
routing layer but fail to describe the routing-level normal behavior patterns.
IDS model. Their work is similar to other research The main strength of misbehavior detection
models on ad hoc IDS design, which provid ap- is that the probability of false alarm is quite low.
plication-level IDS. Eventually, Huang and Lee However, the probability of deduction is also low,
(2004) analyze AODV intensively and provid a as unknown attacks will skip detection. On the
strong understanding of AODV and a guide to contrary, anomaly detection increases the prob-
design an AODV IDS at routing layer. However, ability of detection at the cost of increased false
they fail to state the statistical methodologies used alarm rates. Typically, both mechanisms are used
in the IDS design. inconcurrencetodefineatradeoffpointbetween
In what follows, the existing IDS models are probability of detection and false alarm rates.
enumerated and its strengths and weaknesses are
analyzed. Additionally, the feasibility of imple-
mentation of these methods is studied. Ad Hoc nEtwork Ids
rEquIrEMEnts
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
lack of similar research on routing behavior audits a routing message is kept as minimal as possible to
for ad hoc networks raises an interesting question increasetheroutingefficiency.Thishasdecreased
on the suitability of statistical approaches for ad the features set describing a routing behavior. Dif-
hoc IDS. This is another unexplored research area ferent protocols have different features and the
in ad hoc security. feature set is highly protocol dependent.
Hybrid detection strategies combine the above
two approaches. Hybrid mechanisms are expected Inference
to perform better than the two approaches, since
they incorporate semantics (rule-based systems) It can be inferred that an ad hoc IDS model re-
and statistical intelligence. This is in fact supported quires a complete reconstruction of the current
by conventional IDS models where hybrid systems conventional IDS architecture. An IDS which
are usually superior. functions with only local knowledge, without a
In the ad hoc IDS paradigm, these detection centralized node, adapts to dynamic environments,
methodologies face numerous shortcomings. A and efficiently identifies malicious behavior wil
major impediment is the lack of features describ- be a magnum opusinthefieldofadhocnetwork
ing a routing behavior. Features are parameters security. Additionally, functions such as learning
or values describing a behavior. For example, the new attacks (part of adaptation) without corrupt-
number of server logins is a feature describing a ing the local knowledge base will be beneficial
user behavior over server-client-based application (Hossain, Bridges, & Vaughn, 2003; Pokrajac &
layer protocol. Similarly, delay between two rout- Lazarevic, 2004). Learning is itself a dynamic
ing requests is an example of a feature describing process; therefore learning in a highly dynamic,
a routing behavior. Typically, in a user behavior, distributed, decentralized, and insecure environ-
the number of features can extend from 40-100 or ment will be challenging.
more. On the contrary, a routing control message
has very few independent features. The content of
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
tion, which will eventually corrupt the information Apparently, it can be seen that stationary secure
base of the entire network. Finally, in a network databaseSSD) ( conflictswiththeadhoc - character
with transient associations, feasibility of mobile istic of the absence of centralized authority. Even
agents is questionable. if a node is voted as the centralized node using
trust mechanisms, there is no surety that the node
Stationary Secure Database IDS will behave benignly. Furthermore, a malicious
node can corrupt the SSD by sending incorrect
Andrew (2001) proposes an IDS architecture which intrusion detection information. SSD creates a hot
consists of a stationary secure database (SSD). spot, which is a single point of failure. Addition-
Nodes post new information and decisions into ally, SSD assumes cryptographic mechanisms on
this database. The architecture is simple, as shown the communication between the IDS and SSD.
in Figure 4. Only detection processing is done on This violates the fundamental principle of IDS,
the host and the information is stored in a secure which assumes “no existence of cryptographic
stationary centralized point. mechanisms.”
The other components of the IDS are typical,
namely, misbehavior detection module (MDM), Modular Intrusion Detection Architecture
anomaly detection module (ADM), and commu-
nication port. These components form the mobile Kachirski and Guha (2002) propose an IDS where
agent. A local intrusion database is also used to the intrusion-detection system is modularized
storenodespecificattackpatternsinto andvarious
temporary
submodules, as shown in Figure 5.
information. The mobile agents will publish the The submodules are network monitoring, host
newly found attack pattern to the SSD, only after a monitoring, decision making, and response (ac-
certainlevelofconfidenceisreached. - The
tion)commu
modules. The modules are implemented in
nication port is used to communicate with the other mobile agent framework. Network monitoring is
nodes’ host-based intrusion detection system. packet monitoring over the network. Host monitor-
0
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Figure5.ModularizedIDSarchitecture
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Figure6.DistributedIDSarchitecture
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
is critical. TIARA has no response system for threshold, the node is discarded from any path.
intrusions. This method is analogous to fault-tolerance in
typical routing algorithms. This method effectively
Threshold-Based Detection detects and responds to malicious packet drop-
ping attacks (sinks). However, it fails to address
A simplistic approach to ad hoc IDS is threshold- attacks such as route invasion, route disruption,
based detection. Bhargava and Agrawal (2001) and so forth.
propose an ad hoc IDS which prevents internal at-
tacks (attacks within the network). Internal attacks State-Based Anomaly Detection
are exhibited by nodes belonging to the network
which behave maliciously, either by themselves One of the interesting approaches in conventional
or when compromised. Each node maintains a IDS models are state-based intrusion detection.
local variable called “MalCount” for every other Michael and Ghosh (2000) incorporate a state-
node, which is increased for a particular node if its based model in ad hoc intrusion detection. They
behavior is suspicious. Thus the MalCount array propose two anomaly detection methodologies,
in a node tracks the level or state of suspicion that whichusefinite-statemachines(FSM)FSM . have
the host node has regarding the other nodes. Each proved successful in conventional IDS because of
node shares its local state of suspicion with respect their adaptability and dynamic learning capability
to a particular node with other nodes in the network of new attacks.
using a special packet REMAL. When a node Anomaly detection methods proposed by Mi-
receives REMAL, it increases its local MalCount chael and Ghosh (2000) used protocol states. In
for the particular node under suspicion. the first method, the sequence and frequency of
The authors overlooked many aspects of ad hoc protocolstatesaremonitored.Intrusionisaffirm
security. First, malicious knowledge sharing using whenaparticularsequencedeviatessignificant
REMAL will have cumulative malign effect on from normal behavior patterns or the frequency of
the network. Second, the security of the REMAL states exceeds a threshold. To increase robustness,
packet is unknown. Eventually, the entire network their second approach uses probabilistic state-based
can be under threat by trusting unreliable REMAL intrusion detection. Each occurrence of a suspi-
packets. The crucial aspect of the security of the cious protocol state increases the probability of
IDS is not considered in this methodology. Fur- the behavior being malicious.
thermore, routing security is not addressed. These two approaches are well suited for trans-
Another interesting approach called watchdog- port and application layer protocols, which have
pathrater, which also uses threshold, is proposed many protocol states, and the protocol states are
by Sergio, Giuli, Kevin, and Mary (2000). Watch- predictable. For example, attacks such as, TCP SYN
dog-pathrater, as the name implies, has a monitor ood
fl attackcanbedetectedusingthisapproach.
and evaluator. Unlike Bhargava and Agrawal’s However, this is not true in the case of routing
(2001) approach, Watchdog-pathrater functions protocols. State sequence or frequency of states
independently and does not share information does not distinguish a malicious behavior from
with other nodes. When a packet is forwarded to a benign one. Traditionally, FSM were used to
a neighbor node, the forwarding node listens and extract semantics from user behavior through
monitors how the node behaves upon receiving application-layer protocols. In the case of ad hoc
a packet. A benign node will forward faithfully, routing protocols, semantics is not represented by
which is overheard by the monitor. However, when protocol states, but factors such as current topology,
the node does not forward the packet, the pathrater mobility, connectivity, and so forth are.
increases the failure rate for the path. The monitor
does not distinguish between maliciousness and
node faultiness. Upon the failure rate reaching the
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
Paper presented at the Security and Privacy for Hubaux, J.-P., Buttyan, L., & Capkun, S. (2001).
Emerging Areas in Communications Networks, The quest for security in mobile ad hoc networks.
SecureComm 2005. Paper presented at the 2nd ACM international
Symposium on Mobile Ad hoc Networking &
Balajinath, B., & Raghavan, S. V. (2001). Intru-
Computing, Long Beach, CA.
sion detection through learning behavior model.
Computer Communications, 24(12), 1202-1212. Jacoby, G. A., Marchany, R., & Davis, N. J., IV.
(2004). Battery-based intrusion detection a firs
Bhargava, S., & Agrawal, D. P. (2001, Fall). Secu-
line of defense. Paper presented at the Information
rityenhancementsinAODVprotocolforwireless
Assurance Workshop, 2004/Proceedings from the
ad hoc networks. Paper presented at the IEEE 54th
Fifth Annual IEEE SMC.
Vehicular Technology Conference, VTC 2001.
Kachirski, O., & Guha, R. (2002). Intrusion de-
Brutch, P., & Ko, C. (2003). Challenges in intru-
tection using mobile agents in wireless ad hoc
sion detection for wireless ad-hoc networks. Paper
networks. Paper presented at the IEEE Workshop
presented at the Applications and the Internet
on Knowledge Media Networking, 2002.
Workshops, 2003.
Kong, J., Hong, X., & Gerla, M. (2003). A new set of
Bykova, M., Ostermann, S., & Tjaden, B. (2001).
passive routing attacks in mobile ad hoc networks.
Detecting network intrusions via a statistical
Paper presented at the Military Communications
analysis of network packet characteristics. In
Conference, MILCOM 2003. IEEE.
Proceedings of the 33rd Southeastern Symposium
on System Theory, 2001. Lamport, L., Shostak, R., & Pease, M. (1982). The
Byzantine generalsproblem. ACM Transactions
Debar, H., Dacier, M., & Wespi, A. (1999). To-
on Programming Languages and Systems, 4(3),
wards a taxonomy of intrusion-detection systems.
382-401.
Computer Networks-the International Journal of
Computer and Telecommunications Networking, Little, M. (2005). TEALab: A testbed for ad hoc
31(8), 805-822. networking security research. Paper presented at
the Military Communications Conference, MIL-
Duda, R. O., Hart, P. E., & Stork, D. G. (2000).
COM 2005. IEEE.
Patternclassification (2nd ed.). Wiley Inter-Science
Publication. Michael, C. C., & Ghosh, A. (2000). Two state-
based approaches to program-based anomaly
Hijazi, A., & Nasser, N. (2005). Using mobile
detection. Paper presented at the 16th Annual
agents for intrusion detection in wireless ad hoc
Conference Computer Security Applications,
networks. Paper presented at the Second IFIP
ACSAC ’00.
International Conference on Wireless and Optical
Communications Networks, WOCN 2005 Mishra, A., Nadkarni, K., & Patcha, A. (2004).
Intrusion detection in wireless ad hoc networks.
Hossain, M., Bridges, S. M., & Vaughn, R. B.,
IEEE Wireless Communications, 11(1), 48-60.
Jr. (2003). Adaptive intrusion detection with data
mining. Paper presented at the IEEE International Nadkarni, K., & Mishra, A. (2003). Intrusion de-
Conference on Systems, Man and Cybernetics, tection in MANETS: The second wall of defense.
2003. Paper presented at the 29th Annual Conference of
the IEEE Industrial Electronics Society, IECON
Huang, Y. A., & Lee, W. (2004). Attack analysis
2003.
and detection for ad hoc routing protocols. Recent
advances in intrusion detection, proceedings Papadimitratos, P., & Haas, Z. (2002, January 27-
(Vol. 3224, pp. 125-145). Berlin: Springer-Verlag 31). Secure routing for mobile ad hoc networks. Pa-
Berlin. per presented at the SCS Communication Networks
Cutting the Gordian Knot: Intrusion Detection Systems in Ad Hoc Networks
and Distributed Systems Modeling and Simulation Zhang, Y. G., Lee, W. K., & Huang, Y. A. (2003).
Conference (CNDS 2002), San Antonio. Intrusion detection techniques for mobile wireless
networks. WirelessNetworks, 9
(5), 545-556.
Patrick, A., Olivier, C., Jean-Marc, P., Bernard,
J., Ludovic, M., & Ricardo, P. (2002). Security in
ad hoc networks: A general intrusion detection kEy tErMs
architecture enchancing trust based approaches.
Paper presented at the 1st International Workshop Ad Hoc Networks: Ad hoc networks are loosely
on Wireless Info. Sys., Cicudad Real, Spain. organized and configured network. There are no
centralized nodes, such as routers, gateways, and
Pokrajac, D., & Lazarevic, A. (2004). Applications
so forth. All network functions are done by every
of unsupervised neural networks in data mining.
node and thereby every node supports the network’s
Paper presented at the 7th Seminar on Neural
functioning.
Network Applications in Electrical Engineering,
NEUREL 2004. Anomaly Detection: Anomaly detection is
a type of intrusion detection in which historical
Ramanujan, R., Ahamad, A., Bonney, J., Hagel-
normal behavior of the network is used. Any de-
strom, R., & Thurber, K. (2000). Techniques for
viation of a behavior from the normal will raise
intrusion-resistant ad hoc routing algorithms
an alarm.
(TIARA).
Audit Trails: Audit trails describe a network
Sergio, M., Giuli, T. J., Kevin, L., & Mary, B.
or node behavior. It contains values for a set of
(2000). Mitigating routing misbehavior in mobile
parameters, which is recorded in periodic intervals
ad hoc networks. Paper presented at the Conference
of time. The parameter set is called as the feature
Name|.RetrievedAccessDate|.fromURL|.
set and usually differs between different network
Shimomura, T., & Markoff, J. (1996). Take down: environments, protocols, and systems.
The pursuit and capture of Kevin Mitnick, Amer-
Intrusion/Attack: Intrusion is a behavior of
ica’s most notorious cyber-criminal; by the man
an external or internal node(s) with malign intent,
who did it. London: Secker & Warburg.
which aims to affect other benign nodes in the
Verwoerd, T., & Hunt, R. (2002). Intrusion detec- network.
tion techniques and approaches. Computer Com-
Intrusion Detection: Intrusion detection is the
munications, 5 2 1356-1365.
(15),
process of identifying and distinguishing malicious
Yang, S., & Baras, J. S. (2003). Modeling vulner- behaviorfromthenormalnetworktraffic.
abilities of ad hoc routing protocols. Paper pre-
Misbehavior Detection: Misbehavior detection
sented at the 1st ACM Workshop on Security of Ad
is a complement to anomaly detection. In this type
Hoc and Sensor Networks, Fairfax, Virginia.
of intrusion detection, known intrusion behavior
Zhang, Y., Huang, Y.-A., & Lee, W. (2005). An patterns are used. Any resemblance of a behavior
extensible environment for evaluating secure with these patterns will result in an alarm.
MANET. Paper presented at the First International
Mobile Agents: Mobile agents are specialized
Conference on Security and Privacy for Emerging
software which move between nodes to accomplish
Areas in Communications Networks, SecureComm
their assigned tasks, such as data collection and
2005.
so forth.
Chapter XXXIV
Security in Wireless
Sensor Networks
Luis E. Palafox
CICESE Research Center, Mexico
J. Antonio Garcia-Macias
CICESE Research Center, Mexico
AbstrAct
In this chapter we present the growing challenges related to security in wireless sensor networks. We
show possible attack scenarios and evidence the easiness of perpetrating several types of attacks due to
the extreme resource limitations that wireless sensor networks are subjected to. Nevertheless, we show
thatsecurityisafeasiblegoalinthisresource-limitedenvironment;toprovethats
survey several proposed sensor network security protocols targeted to different layers in the protocol
stack. The work surveyed in this chapter enable several protection mechanisms vs. well documented
network attacks. Finally, we summarize the work that has been done in the area and present a series of
ongoing challenges for future work.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in Wireless Sensor Networks
same processing power. Based on this idea, many • Unreliable transfers. The packets can be
researchers have started to face the challenge of corrupted or even discarded due to errors in
maximizing processing capabilities and reduc- the communication channel or to congested
ing energy consumption while protecting sensor nodes which results in packet loss; as a con-
networks from possible attacks. sequence, application developers are forced
to allocate extra resources for error handling.
Most importantly is the fact that if a protocol
bAckground does not have the appropriate mechanisms
for error handling, packets including criti-
WSN have many more limitations than other tradi- cal security information could be lost (e.g.,
tional computer networks. Due to these limitations, a cryptographic key).
it is unfeasible to use the traditional security ap- • Conflicts.Evenifwehadareliablecommuni -
proaches in these resource-constrained networks. cation channel, the communication still could
Thus,todevelopefficientsecuritytechniques, itis due to the broadcast nature of
be unreliable
imperative to consider the limitations involved. sensor networks. If a collision occurs in the
middleofatransfer,therewouldbeconflicts
Extremely limited resources and the transfer itself would fail. On a highly
populated network this can be a big problem,
Every security mechanism requires a certain as has already been pointed out (Akyildiz, Su,
amount of resources for its implementation, Sankarasubramaniam, & Cayirci, 2002).
these resources include data memory, program •
Latency. Multihop routing, network conges-
memory, and energy source to power the sensor tion, and in-network processing can introduce
node; however, these resources are very scarce in latency to the network, making synchroniza-
sensor nodes. tiondifficultbetweennodes.Synchronization
problems can be critical for network security
• Memory limitations. In order to implement an mechanisms that rely on error reporting and
efficientsecuritymechanism,thealgorithm cryptographic key distribution. Some real/
used for such implementation must have a time communications techniques could be
small footprint. used in WSN (Stankovic, Abdelzaher, Lu,
• Energy limitations. When including security Sha, & Hou, 2003).
mechanisms, careful attention should be paid
to energy-depleting factors including the con- unattended operation
sumed energy in computation of the security
functions (i.e., encrypt, decrypt, data signa- On most wireless sensor network applications,
tures,signatureverification),the consumed
nodes are left unattended for long time periods. The
energy of additional security related data three main disadvantages of leaving the network
transmissions or overhead (i.e., initialization unattended are:
vectors required for encrypt/decrypt), and the
energy spent in storing the security related • Exposure to physical attacks. The network
parameters (i.e., cryptographic keys). can be deployed in an environment open
to adversaries, in undesirable climatologic
Highly unreliable communication conditions, and so forth. Thus, the probability
Medium of a node suffering a physical attack is much
higher than in typical computers on traditional
Unreliable communication is another threat to networks, which normally are placed on a
WSN. The security relies heavily on a defined secure location and only face attacks through
protocol, which depends on communication. the network.
Security in Wireless Sensor Networks
Security in Wireless Sensor Networks
0
Security in Wireless Sensor Networks
include compromised nodes, attacks to routing nerable to attacks than their counterparts in ad hoc
protocols, and physical attacks. networks. Most attacks on network layer protocols
fall into one of the following categories:
Attack scenario
• Spoofed, altered, or replayed routing informa-
To propose and develop efficient prevention tion.and
This attack is directed toward the routing
recuperation mechanisms for attacks on wire- information that is exchanged between nodes.
less sensor networks it is important to know and By spoofing, altering, or replaying routing
understand the nature of the potential adversar- information, the adversaries could potentially
ies;thesecanbeclassifiedintwogroups(Karlof create routing loops, attract or repel network
&Wagner, 2003): mote class adversaries and laptop traffic,lengthenorshortenroutes,generat
class adversaries. In the first case, the adversary fake error messages, partition the network,
has access to sensor nodes. In contrast, the laptop increase node to node latency, and so forth.
class adversary has access to more powerful de- • Selective forwarding. Multihop networks
vices such as personal computers, PDAs, and so often operate assuming faithfully that mes-
forth. Thus, in this case, the devices have many sages will be received by their destination.
advantages over legit nodes: larger energy source, On a selective forwarding attack, malicious
more powerful processors, and they could also nodes could prevent forwarding certain mes-
have high-power transmitters or a highly sensitive sages or even discard them; consequently,
antennatoeavesdropontraffic. these messages would not propagate through
A laptop class adversary can produce more dam- the network. A simple form of this attack is
age as opposed to an adversary that only has access very easy to be detected because the neigh-
to a few sensor nodes. For instance, a sensor node bor nodes could easily infer that the route
can only block radio links in a small neighborhood is no longer valid and use an alternate one.
while an adversary with a laptop computer could A more subtle form of this attack is when
block the entire sensor network with the help of a and adversary selectively forwards packets.
more powerful transmitter. Furthermore, a laptop Therefore, if an adversary is interested in
class adversary could potentially eavesdrop on the suppressing or modifying packets that come
traffic of the entire network, while a mote fromclass
certain source, the adversary could se-
adversary could only eavesdrop on the traffic in lectively forwardtherestofthetraffic,thus
a very limited area. the adversary would not raise any suspicion
Anothercommonlyusedadversary - classifica
of the attack.
tion considers external and internal adversaries. • Sinkhole attacks. In a sinkhole attack, the
Previously, we discussed external attacks, where goal of the adversary is to attract all the traf-
the adversaries do not have any access to the sen- fic to a certain area or the network through
sor network. Conversely, internal attacks are those a compromised node, creating a sinkhole
perpetrated by an authorized participant in the (metaphorically speaking). Due to the fact
network that has turned malicious. Internal attacks that the nodes that are located across the route
can be mounted from compromised nodes that are have the ability to alter application data, the
executing malicious codes or from laptop comput- sinkhole attacks could facilitate other types
ers that have access to cryptographic materials, of attacks (like selective forwarding for in-
data, and codes from authorized nodes. stance).
• Sybil attacks. In a Sybil attack (Douceur,
Attacks to Routing Protocols 2002), a node presents multiple identities to
the rest of the nodes. Sybil attacks are a threat
Most routing protocols for WSN are very simple; to geographical routing protocols, since they
due to this simplicity, they are generally more vul- requiretheexchangeofcoordinates - foreffi
Security in Wireless Sensor Networks
cient packet routing. Ideally, we would expect Attacks to Data Aggregation Techniques
that a node only sends a set of coordinates,
but under a Sybil attack, an adversary could Data aggregation in wireless sensor networks can
pretend to be in many places at once. significantly reduce communication overhead
• Wormhole attacks. In a wormhole attack compared to all the nodes sending their data
(Hu, Perrig, & Johnson, 2002) an adversary to the base station. However, data aggregation
builds a virtual tunnel through a low latency complicates even more network security. This is
link that takes the messages from one part of due to the fact that every intermediate node could
the network and forwards them to another. potentially modify, forge, or discard messages.
The simplest case of this attack is when one Therefore, a single compromised node could be
node is located between two other nodes that abletoalterthefinalaggregationvalue.Intrud
are forwarding. However, wormhole attacks node and compromised node attacks are two major
commonly involve two distant nodes that threats to security in sensor networks that use data
are colluded to underestimate the distance aggregation techniques.
between them and forward packets through
an external communication channel that is Physical Attacks
only available to the adversary.
• HELLOood
fl attacks.Someprotocolsrequire Sensor networks often operate in hostile environ-
nodes to send HELLO packets to advertise ments. In those environments, the size of the nodes
themselves to their neighbors. If a node re- plus the unattended operation mode contributes
ceives such packet, it would assume that it is to make them very vulnerable to physical attacks
inside the RF range of the node that sent that (i.e., node destruction) (Wang, Gu, Schosek,
packet. However, this assumption could be Chellappan, & Xuan, 2005c). In contrast to other
false because a laptop class adversary could types of attacks, physical attacks destroy the nodes
easily send these packets with enough power permanently, thus, their loss is irreversible. For
to convince all the network nodes that the instance, an adversary could extract cryptographic
adversary is their neighbor. Consequently, keys, alter the node’s circuitry, and reprogram it
nodes close to the adversary may try to use or replace it with malicious nodes (Wang, Gu,
the adversary as a route to the base station, Chellappan, Xuan, & Lai, 2005b). Previous work
while nodes further away would send packets shows that a Berkeley MICA2 mote (one of the
directly to the adversary. But the transmission most commonly used in the research community)
power of those nodes is much less that the can be compromised in less than a minute. Even
adversary’s, thus, the packets would get lost, though these results are not surprising, because
and that would create a state of confusion in MICA2 motes do not have any physical protec-
the sensor network. tion mechanism, they give us a good idea of what
• Acknowledgement spoofing. Some routing a well-trained adversary can do.
algorithms require the use of acknowledge-
ment signals (ACK). In this case, an adversary defense countermeasures
could spoof this signal in response to the
packets that the adversary listens to. This In this section we will present some security
results in convincing the transmitting node mechanisms that have been proposed in the lit-
that a weak link is strong. Thus, an adversary erature and that help in meeting the security
could perform a selective forwarding attack requirements discussed earlier. For this purpose,
afterspoofingACKsignalstothenode that
we will begin by discussing the key establishment
the adversary intends to attack. process in WSN which is the base for security in
this type of networks. We will follow that with a
Security in Wireless Sensor Networks
Table 1. A summary of the analysis for cipher performance (Law et al. 2004)
By key setup
By encryption mode
Security in Wireless Sensor Networks
is that, computationally speaking, it is very heavy predistribution technique it is not necessary that
for the sensor nodes. However, there has been work each pair of nodes share a key. However, every pair
that shows that implementation is viable if a proper of nodes that does share a key may use that key to
selection of algorithms is made (Gaubatz, Kaps, & establish a direct secure connection between them.
Sunar 2004; Gura, Patel, Wander, Eberle, & Shantz, Eschenauer and Gligor (2002) show that under this
2004; Malan, Welsh, & Smith, 2004; Watro, Kong, scheme it is highly probable that sensor nodes can
Fen Cuti, Gardiner, Lynn, & Kruus, 2004). operate with shared keys.
For these reasons, symmetric encryption is the The LEAP protocol (Zhu, Setia, & Jajodia, 2003)
more widely selected technique for applications adopts the approach of using multiple techniques
that cannot handle the computational complexity of for key establishment. Here, the authors make the
asymmetric encryption. Symmetric techniques use observation than any mechanism by itself provides
a single key that is shared by the two communicating security for every type of connection in wireless
parties. This key is used for data encryption and networks. Thus, in this work they present four
decryption. The traditional example of symmetric different types of keys that are used depending on
encryption is the DES (data encryption standard) the communication type to be established.
algorithm. However, the use of DES has decreased In PIKE (Chan & Perrig, 2005), the authors de-
significantlybecauseitcanbeeasily - broken. Cur
scribe a mechanism for establishing a key between
rently, other algorithms such as 3DES (triple DES), two nodes based on the trust that both nodes have
RC5, AES, and others (Schneier, 1996). toward a third node in the same network. The shared
An analysis of several cipher algorithms (Law, keys of each node are propagated throughout the
Doumen, & Hartel, 2004) is summarized in Table network in such a way that for every node A and
I,wheretwoclassificationsaremade:one B abynode
key C exists that shares a key with A and B.
setup and the other by encryption mode. In both Thus, the key establishment protocol between A
classificationsthealgorithmswereand optimized for routed through C.
B can be securely
code size and speed and aspects such as speed, code Perrig et al. (2002) propose a key distribution
size, and required data memory were evaluated. schemeforsecurebroadcastauthentificationnam
A great challenge for symmetric encryption TESLA.
: ThemainideaofTESLA : istoachieve
is the problem of key management. The problem asymmetric cryptography through the delayed
resides in the fact that both parties need to know disclosure of symmetric keys.
the key prior to starting secure communication. It is important to point out that the most sig-
Thus, the problem can be summarized as follows: nificantadvancesintheintegration - ofpubliccryp
how can we assure that only the two communicat- tography to WSN (which will be discussed next)
ing parties know the key and no one else havedoes?
been made recently. This makes random key
Distributing secret keys is not an easy problem to predistribution a less interesting topic.
solve because preinstalling the key in the sensor
node is not always an option. Public Key Cryptography
Key Establishment Protocols Two of the more commonly used public key cryp-
tography algorithms are RSA and ECC (Schneier,
There are several random key predistribution 1996). Traditionally, it was thought that these tech-
techniques that have been proposed. Eschenauer niques were way too complex for applying them
and Gligor (2002) propose a scheme based on to WSN. However, successful implementations of
probabilistic key sharing among sensor nodes. public key cryptographic systems in WSN have
This scheme operates first by distributing a keyrecently.
been published
chain to all participant nodes before their deploy- Gura et al. (2004) report that it is possible to
ment. Each key chain consists of a set of keys implement RSA and ECC in 8-bit microprocessors,
that has been randomly selected from a larger demonstrating a performance advantage of ECC
offline-generatedkeyset.Tousetherandom key Another advantage is that the 160-bit
over RSA.
Security in Wireless Sensor Networks
key in ECC generates shorter messages during countermeasures mechanisms are required. One
transmission compared to the 1024-bit key of RSA. approach to defend against the classic channel jam-
Particularly, this work demonstrates that the dot ming attack is to identify the part of the network
product operations used in ECC execute faster thatisjammedandroutetrafficaroundthatare
than the operations in RSA. Wood and Stankovic (2002) describe a two phase
Watro et al. (2004) show that certain parts of approach where nodes along the perimeter of the
the RSA cipher can be implemented on current jammed area report their status to their neighbors
sensor network platforms, particularly in the whothencollaborativelydefinethejammedregion
MICA2 Berkeley motes (Hill, Szewczyk, Woo, and simply route around it.
Hollar, Culler, & Pister, 2000). They implemented To protect against jamming at the MAC layer,
the public key operations in the sensor nodes nodes could use an admission control mechanism
while the private ones were performed in more that limits their transmission rate. This would al-
powerful devices. In this case they used a laptop low the network to ignore the requests designed to
computer. exhaust the node’s energy source. However, this is
Malan et al. (2004) propose a scheme based not an optimal solution because the network must
on ECC and show an implementation of the Dif- beabletohandlelargevolumesoftraffic.
fie-Hellmanalgorithmbasedontheelliptic curve
To protect against malicious nodes that inten-
discrete logarithm problem. While key generation tionallymisroutetrafficcouldbedoneatthecos
is by no means fast (around 34 seconds for gener- of redundancy. In this case, a node can send the
ating the pair of keys and another 34 seconds for message through multiple routes, thus increasing
generating the secret key), this probably would the probability that the message will arrive to its
sufficeforapplicationsthatdonotrequire frequent
finaldestination simplybecausethemessagedoes
key renewal. not rely on a single route to get there.
Security in Wireless Sensor Networks
Security in Wireless Sensor Networks
be authenticated by either the destination or by the Some researchers have proposed certain tech-
source (for returning messages). niques that make use of anonymity mechanisms.
For instance, Gruteser and Grunwald (2003a)
How to Protect from Traffic Analysis analyze the feasibility of anonymizing location
Attacks information for location-based services in an
automotive telematic environment. Beresford and
There are some strategies to protect from(2003)
Stajano traffic evaluate anonymity techniques
analysis attacks. Deng, Han, and Mishra (2004) for an indoor location-based system based on the
propose a technique based on a random walk active nat.
through the network. This technique also send Producingtotalanonymityisadifficultproblem
packets randomly to nodes different from the parent given the lack of knowledge about the concerning
node in the routing tree. The main goal of this tech- node’s location. Therefore, for the privacy problem,
nique is to make it harder to a potential adversary there is a tradeoff between the required anonymity
to infer the route from a given node to the base level and the need for public information. Three
station and also to prevent against a possible rate approaches have been proposed to address this
monitoring attack, but it would not protect against problem (Gruteser & Grunwald, 2003b; Gruteser et
a time correlation attack. To protect against a time al., 2003; Priyantha, Chakraborty, & Balakrishnan,
correlation attack, they propose a fractal strategy. 2000; Smailagic & Kogan, 2002):
With this technique a node would generate a fake
packet (with certain probability) while one of its • Decentralize sensitive data. The main idea in
neighbors is sending a packet to the base station. this approach is to distribute the sensed loca-
The fake packet would be sent to another neighbor tion data through a spanning tree. By doing
that consequently may send another fake packet, so, no single node will contain the original
thus, deceiving the potential adversary. These fake data.
packets would use the time-to-live (TTL) parameter • Secure the communication channel. By us-
to decide for how long they would be circulating ing secure communication protocols such as
throughout the network. SPINS (Perrig et al., 2002), eavesdropping
and active attacks can be prevented.
defending Against sensor node • Node mobility. Making the nodes move can
be an effective defense mechanism against
Privacy Attacks
privacy attacks, particularly due to the fact
that location information would be changing
To protect against privacy attacks, several propos-
constantly. For instance, the Cricket system
als have been made that reduce the effects of those
(Priyantha et al., 2000) is a system with
attacks, we will discuss some of those proposals
location support for mobile object inside
in this section (Gruteser, Schelle, Jain, Han, &
buildings.
Grunwald, 2003).
Security in Wireless Sensor Networks
telematics domain, Duri, Gruteser, Liu, Moskowitz, of their unattended operation mode and their ex-
Perez, Singh et al. (2002) propose a policy-based tremely limited resources. Nodes may be equipped
framework to protect data from the sensors, where with tamper-proof physical protection. For instance,
an on-board computer can act as a trusted agent. an alternative to this is tamper-proof packaging
Snekkenes (2001) presents advanced concepts for (Wood & Stankovic, 2002). Related research
policyspecificationoncellphonenetworks. These
work focuses in the design of hardware that make
concepts allow access control based on criteria their memory content inaccessible to adversaries.
such as request time, location, object speed, and Another alternative is to use special software and
identity. Myles, Friday and Davies (2003) describe hardware to detect physical tampering.
an architecture for a centralized server that controls As the hardware costs decrease, integrating
the access of client applications through the use of tamper-proof hardware would be a feasible solu-
validation modules that verify the XML-formatted tion for sensor network applications. However, the
application policies. Hengartner and Steenkiste research community has agreed by consensus that
(2003) point out that access control policies must the trend should be making cheaper sensor nodes
be governed by room or user policies. The room without adding extra functionalities; thus, integrat-
policies specify who is authorized to ingfind outprotection is not a solution that would
physical
about the people currently in the room, while user be commonly accepted in the near future. One
policies state who is permitted to access location possible approach for protecting against physical at-
information about another user. tacks is self-destruction. The main idea behind this
Langheinrich (2005) proposed a framework approach is that whenever a node detects a possible
called PawS (privacy awareness system). This attack it self-destructs. This is particularly feasible
framework is based on privacy policy advertise- on networks where there are redundant nodes and
ments through special packets called privacy bea- when the cost per node is low. Obviously, the key
cons. Those policies are maintained with privacy to this approach is detecting a possible attack. One
proxies, which keep databases that store those possible solution is to statically verify the status of
policies. their neighbors, but in mobile networks this still
is an open problem.
Information flooding Regarding the deployment of security compo-
nents outside the nodes, several proposals have
Ozturk, Zhang, Trappe, and Ott (2004) propose been made (Bulusu & Jha, 2005). Sastry, Shan-
antitrafficanalysismechanismsto-prevent kar, andan exter
Wagner (2003) introduce the concept of
nal adversary from obtaining the location of a data securelocationverificationandproposeasecur
source.Randomdataroutingandphantom traffic
localization scheme called ECHO that assures node
are used to hide real traffic, so that it is difficult In this scheme, the security
location legitimacy.
for an adversary to track the data source through relies over physical sound properties and RF. The
traffic analysis. Ozturk et al. have developed adversary cannot claim to have a shorter distance
comparable methods that rely on ooding- fl based
by starting the ultrasound response early because
routing protocols. it will not have the nonce.
Some similar mechanisms can be used to pre- Hu and Evans (2004) use directional antennas
vent an adversary to track the base station through to defend against wormhole attacks. In the work
trafficanalysisGura ( etal.A.)024, keyproblem presented by Wang et al. (2005b) the authors study
with these techniques is that they involve an energy the modeling and defense of sensor networks
cost in order to provide information anonymity. againstsearch-basedphysicalattacks.Theydefine
a physical attack-based model, where an adversary
Protecting from Physical Attacks walks the network using signal detecting equip-
ment to locate active nodes and destroy them. In
Physical attacks, as we pointed out earlier, represent prior work, the authors identified and modeled
an important threat to sensor networks because blind physical attacks (Wang, Gu, Chellappan,
Security in Wireless Sensor Networks
Schosek, & Xuan, 2005a). The defense algorithm aggregation techniques were proposed without
is executed by individual nodes in two phases: in security in mind, and thus, are vulnerable to at-
the first phase, the nodes detect the attacker
tacks. and framework is proposed to
A mathematical
notify other nodes; in the second phase, the nodes formally evaluate security for aggregation. This
receive the notification and change their state
theory allows to the robustness of an ag-
quantifying
safe mode. gregation operation against a malicious attack. By
Seshadri, Perrig, Van Doorn, and Khosla (2004) using the framework, it is argued that the aggrega-
introduce a mechanism called SWATT to verify tion functionalities that can be securely computed
and detect when memory content is altered. This under the presence of k compromised nodes are
mechanism can be use as defense against a physical exactly the functions that are (k, K )-resilient for
attack by modifying code in the nodes. some K that is not too large. This work opened the
door for secure data aggregation in sensor networks.
secure data Aggregation However, the presented level of aggregation model
is fairly simple compared to real sensor network
As sensor networks increase in size, the amount implementations. Extending this technique to mul-
of data that they collectively sense also increases. tilevel aggregation scenarios with heterogeneous
However, due to the computational limitations of devices is an interesting challenge.
each node, a small sensor is only responsible for a
very small portion of the entire data. Due do this, Secure Data Aggregation Techniques
a network search would probably return a large
amount of raw data, most of which would not be As we pointed out earlier, data aggregation has
of the user’s interest. been studied in reasonable depth. The problem
For this reason, raw data preprocessing is rec- with classical data aggregation is that they all
ommended to produce more meaningful results to assume trusted nodes. Of course, in practice this
the user. This is typically done by a series of aggre- may not be the case, and for this reason, secure
gators. An aggregator is responsible for collecting data aggregation techniques are required.
raw data from a subset of nodes and processing Przydatek, Song, and Perrig (2003) describe
that raw data into more usable data. a secure information aggregation (SIA). They
However, aggregation techniques are par- point out that aggregation techniques and sensor
ticularly vulnerable to attacks because a single networks are vulnerable to a variety of attacks
aggregator node is responsible for processing the including denial-of-service attacks. However,
data from multiple nodes. Due to this fact, secure thisworkfocusesonprotectingagainstaspecific
data aggregation techniques are required by sen- type of attack called stealthy attack. The goal of
sor network that consider the possibility of one or SIA is to ensure that if a user accepts the result
more malicious nodes. of an aggregation as correct, then there is a high
probability that the value is close to the true ag-
Overview gregation value. In case that the aggregated value
has been tampered with, the user must reject the
If an aggregator node is compromised, then all forged value with a high probability.
the transmitted data in the network to the base Hu and Evans (2003) propose a secure aggrega-
station may be forged. To detect this, Ye, Luo, Lu, tion techniquethatusestheTESLA : protocolto
and Zhang)052 (define a mechanism based on provide security. In this case, the nodes organize
statistical filters. This uses multiple into a MAC codes
hierarchy tree where intermediate nodes
across the entire route from the aggregator node playtheaggregatorrole.RecallthattheTESLA :
to the base station. Any packet that does not pass achieves asymmetry through delayed disclosure of
verificationwouldbediscarded. symmetric keys. For this, a child cannot verify the
Wagner (2004) analyzes the resiliency of ag- data authenticity immediately because the key used
gregation techniques, and argues that current to generate the MAC code has not been disclosed.
Security in Wireless Sensor Networks
However, this technique does not guarantee that the to appear, more efficient application- - specific se
data being reported by the nodes and the aggregator curity techniques will also emerge.
are correct. To address this problem, the base station But overall, perhaps the biggest challenge of all
is responsible for distributing temporary keys to is proving that the proposed security techniques
thenetworkaswellastheTESLA : keyused for
work well in real-world sensor network applica-
validating the MAC. By using this key, the node tions. Currently, there is a huge gap between
can verify their children’s MAC codes. real-world WSN development and WSN security
We can note that secure data aggregation tech- research. Thus, we consider that integrating the
niques play an important role in adopting WSN proposed security techniques to real-world appli-
technology due to the large amount of raw data cations is a challenge that should be faced in the
and the localized in-network processing required near future, as opposed to proposing new tech-
in these networks. Research efforts in this area niques that most of the time does not go beyond
have been limited, thus, much more investigation lab implementations.
is needed in this particular topic.
rEfErEncEs
conclusIon
Akyildiz, I., Su, W., Sankarasubramaniam, Y., &
Certainly,incorporatingefficient - security mecha
Cayirci, E. (2002). A survey on sensor networks.
nisms to WSN is a huge challenge, mainly because IEEE Communications Magazine, 40(8), 102-
of the differences they have compared to traditional 114.
networks. Their resource constraints, their large
Anderson, R. J., & Kuhn, M. G. (1996, Novem-
scale deployments, along with their operating en-
ber). Tamper resistance: A cautionary note. Paper
vironments, represent great obstacles to achieve
presented at the Second USENIX Workshop on
security.Nevertheless,efficientmechanismshave
Electronic Commerce, Oakland, CA.
been proposed to deal with a great variety of at-
tacks to which WSN presumably are subjected to. Anderson, R. J., & Kuhn, M. G. (1997). Low cost
Thesesecuritytechniquesconfrontspecific attacks
attacks on tamper resistant devices. In B. Chris-
that operate across different layers of the protocol tianson, B. Crispo, T. M. A. Lomas, & M. Roe
stack. Attacks like signal jamming (physical layer), (Eds.), Security Protocols Workshop (LNCS 1361,
induced collisions (MAC sublayer), packet redirec- pp. 125-136). Springer.
tion (routing layer), and many others have been the
addressed through many security mechanisms, Beresford, A., & Stajano, F. (2003). Location
many of which we described in this chapter. privacy in pervasive computing. IEEE Pervasive
However, most of the security techniques rely Computing, 2(1), 46-55.
heavily on a key distribution protocol and assume Bulusu, N., & Jha, S. (2005). Wireless sensor net-
that secret keys have already been placed on the works: a system perspective. Artech House.
distributed nodes. However as we showed in this
chapter, efficient key distribution in Carman, D. W., Kruus, P. S., & Matt, B. J. (2000).
WSN is no
easy task. In fact, most of the research efforts in Constraints and approaches for distributed sensor
WSNsecurityaredirectedtoproposing network security (Tech. Rep. No. 00-010). NAI
efficient
key distribution techniques; in this chapter we Labs, The Security Research Division.
discussed research work in the area of WSN key Chan, H., & Perrig, A. (2005, March). PIKE: Peer
distribution. As of now, we still believe that there intermediaries for key establishment in sensor
is much room for improvement in efficient key Paper presented at IEEE INFOCOM,
networks.
distribution in wireless sensor networks. As more Miami.
efficientkeydistributionkeymechanismscontinue
0
Security in Wireless Sensor Networks
Chan, H., Perrig, A., & Song, D.X. (2003, May). Gruteser, M., & Grunwald, D. (2003a). Anony-
Random key predistribution schemes for sensor mous usage of location-based services through
networks. Paper presented at the IEEE Symposium spatial and temporal cloaking. In Proceedings of
on Security and Privacy, Oakland, CA. the USENIX MobiSys.
Deng, J., Han, R., & Mishra, S. (2002). INSENS: Gruteser, M., Schelle, G., Jain, A., Han, R., &
Intrusion-tolerant routing in wireless sensor net- Grunwald, D. (2003). Privacy-aware location
works (Tech. Rep. No. CU-CS-939-02). University sensor networks. In M. B. Jones (Ed.), USENIX
of Colorado, Department of Computer Science. HotOS (pp. 163-168).
Deng, J., Han, R., & Mishra, S. (2004). Coun- Gura, N., Patel, A., Wander, A., Eberle, H., &
termeasures against traffic analysis Shantz, in wireless
S. C. (2004). Comparing elliptic curve
sensor networks (Tech. Rep. No. CU-CS-987-04). cryptography and RSA on 8-bit CPUs. In M. Joye
University of Colorado, Department of Computer J.& J.- Quisquater(Eds.,) CHES (LNCS 3156, pp.
Science. 119-132). Springer.
Diffie,Hellman,
W.& , M.New
. E.)6 79 1 ( directions Hartung, C., Balasalle, J., & Han, R. (2005). Node
in cryptography. IEEE Transactions on Information compromise in sensor networks: The need for
Theory, 22(6), 644-654. secure systems (Tech. Rep. No. CU-CS-990-05).
University of Colorado, Department of Computer
Douceur, J. R. (2002). The sybil attack. In P. Drus-
Science.
chel, M. F. Kaashoek, & A. I. T. Rowstron (Eds.),
IPTPS (pp. LNCS 2429, pp. 251-260). Springer. Hengartner, U., & Steenkiste, P. (2003). Protecting
access to people location information. In Hutter
Du, W., Deng, J., Han, Y.S., & Varshney, P. K.
(pp. 25-38).
(2003). A pairwise key pre-distribution scheme for
wireless sensor networks. In Jajodia (pp. 42-51). Hill, J., Szewczyk, R., Woo, A., Hollar, S., Culler,
D. E., & Pister, K. S. J. (2000). System architecture
Duri, S., Gruteser, M., Liu, X., Moskowitz, P.,
directions for networked sensors. In Proceedings
Perez, R., Singh, M., et al. (2002). Framework for
of theth9 International Conference on Architec-
security and privacy in automotive telematics. In
tural Support for Programming Languages and
Proceedings of the 2nd International Workshop on
Operating Systems (pp. 93-104).
Mobile Commerce (WMC ’02), New York, (pp.
25-32). ACM Press. Hu, L., & Evans, D. (2003). Secure aggrega-
tion for wireless network. Paper presented at the
Eschenauer, L., & Gligor, V. D. (2002). A key-man-
SAINT Workshops IEEE Computer Society (pp.
agement scheme for distributed sensor networks.
384-394).
In V. Atluri (Ed.), ACM Conference on Computer
and Communications Security (pp. 41-47). Hu, L., & Evans, D. (2004). Using directional anten-
nas to prevent wormhole attacks. Paper presented
Estrin, D., Govindan, R., Heidemann, J. S., & Ku-
at the NDSS. The Internet Society.
mar, S. (1999). Next century challenges: Scalable
coordination in sensor networks. In Proceedings Hu, Y.-C., Perrig, A., & Johnson, D. B. (2002).
of the MOBICOM (pp. 263-270). Wormhole detection in wireless ad hoc networks
(Tech. Rep. No. TR01-384). Rice University, De-
Gaubatz, G., Kaps, J.-P., & Sunar, B. (2004). Public
partment of Computer Science.
key cryptography in sensor networks: Revisited.
In C. Castelluccia, H. Hartenstein, C. Paar, & D. Karlof, C., & Wagner, D. (2003). Secure routing
Westhoff (Eds.), ESAS (LNCS 3313, pp. 2-18). in wireless sensor networks: Attacks and counter-
Springer. measures. Ad Hoc Networks, 1(2-3), 293-315.
Security in Wireless Sensor Networks
Karp, B., & Kung, H. T. (2000). GPSR: Greedy pe- Perrig, A., Szewczyk, R., Tygar, J. D., Wen, V., &
rimeter stateless routing for wireless networks. Pa- Culler, D. E. (2002). SPINS: Security protocols
per presented at the MOBICOM (pp. 243-254). for sensor networks. Wireless Networks, 8(5),
521-534.
Langheinrich, M. (2005). Personal privacy in
ubiquitous computing: Tools and system support. Pietro, R. D., Mancini, L. V., Law, Y. W., Etalle,
Unpublished doctoral dissertation, Swiss Federal S., & Havinga, P. J. M. (2003). LKHW: A directed
Institute of Technology Zurich. diffusion-based secure multicast scheme for wire-
less sensor networks. Paper presented at the ICPP
Law, Y. W., Doumen, J., & Hartel, P. (2004). Sur-
Workshops. IEEE Computer Society.
vey and benchmark of block ciphers for wireless
sensor networks (Tech. Rep. No. TR-CTIT-04-07). Priyantha, N. B., Chakraborty, A., & Balakrishnan,
Mathematics and Computer Science University of H. (2000). The Cricket location support system.
Twente, Faculty of Electrical Engineering, The Paper presented at the MOBICOM (pp. 32-43).
Netherlands.
Przydatek, B., Song, D. X., & Perrig, A. (2003). SIA:
Madden, S., Franklin, M. J., Hellerstein, J. M., & Secure information aggregation in sensor networks.
Hong, W. (2002). TAG: A tiny aggregation service In I. F. Akyildiz, D. Estrin, D. E. Culler, & M. B.
for ad-hoc sensor networks. SIGOPS Oper. Syst. Srivastava (Eds.), SenSys. ACM (pp. 255-265).
Rev.6,3 (SI), 131-146.
Sastry, N., Shankar, U., & Wagner, D. (2003). Se-
Malan, D. J., Welsh, M., & Smith, M. D. (2004). cureverificationoflocation claims.In
Proceedings
A public-key infrastructure for key distribution of the 2003 ACM Workshop on Wireless Security,
in TinyOS based on elliptic curve cryptography. WiSe ’03, New York, (pp 1–10). ACM Press.
Paper presented at the SECON (pp. 71-80).
Schneier, B. (1996) Applied cryptography: Pro-
Molnar, D., & Wagner, D. (2004). Privacy and tocols, algorithms, and source code in C (2nd ed.).
security in library RFID: Issues, practices, and John Wiley.
architectures.InV.Atluri,B.Pfitzmann,&P.D.
Seshadri, A., Perrig, A., Van Doorn, L., & Khosla,
McDaniel (Eds.), ACM Conference on Computer
P. K. (2004). SWATT: Software-based attestation
and Communications Security (pp. 210-219).
for embedded devices. Paper presented at the
Myles, G., Friday, A., & Davies, N. (2003). Pre- IEEE Symposium on Security and Privacy. IEEE
serving privacy in environments with location- Computer Society.
based applications. IEEE Pervasive Computing,
Shrivastava, N., Buragohain, C., Agrawal, D.,
2(1), 56-64.
& Suri, S. (2004). Medians and beyond: New
Ozturk, C., Zhang, Y., Trappe, W., & Ott, M. aggregation techniques for sensor networks. In
(2004). Source-location privacy for networks of Proceedings of the 2nd International Conference
energy-constrained sensors. Paper presented at the on Embedded Networked Sensor Systems, SenSys
WSTFEUS (pp. 68-81). IEEE Computer Society. ’04, New York, (pp. 239-249). ACM Press.
Papadimitratos, P., & Haas, Z. (2002). Secure rout- Smailagic, A., & Kogan, D. (2002). Location
ing for mobile ad hoc networks. In Proceedings privacy in pervasive computing. IEEE Wireless
of SCS Communication Networks and Distributed Communications, 9
(5), 10-17.
System Modeling and Simulation Conference,
Snekkenes, E. (2001). Concepts for personal
CNDS ’04.
location privacy policies. Paper presented at the
Perrig, A., Stankovic, J. A., & Wagner, D. (2004). ACM Conference on Electronic Commerce (pp.
Security in wireless sensor networks. Communica- 48-57).
tions of the ACM, 47(6), 53-57.
Security in Wireless Sensor Networks
Stankovic, J. A., Abdelzaher, T. F., Lu, C., Sha, Zhu, S., Setia, S., & Jajodia, S. (2003). LEAP:
L., & Hou, J. C. (2003). Real-time communication Efficientsecuritymechanismsforlarge- - scaledis
and coordination in embedded sensor networks. tributed sensor networks. In Jajodia (pp. 62-72).
ProceedingsoftheIEEE,(7), 1 9 1002-1022.
Tanachaiwiwat, S., Dave, P., Bhindwale, R., & kEy tErMs
Helmy, A. (2003). Secure locations: Routing on
trust and isolating compromised sensors in loca- Compromised Node: A node on which an at-
tion-aware sensor networks. In Proceedings of tacker has gained control after network deployment.
the 1st International Conference on Embedded Generally compromise occurs once an attacker
Networked Sensor Systems, SenSys ’03, New York, has found a node, and then directly connects the
(pp. 324-325). ACM Press. node to their computer via a wired connection of
some sort. Once connected the attacker controls
Wagner, D. (2004). Resilient aggregation in sensor
the node by extracting the data and/or putting new
networks. In Proceedings of the 2nd ACM Workshop
data or controls on that node.
on Security of Ad Hoc and Sensor Networks, SASN
’04, New York, (pp. 78-87). ACM Press. Data Aggregation: Process of reducing large
amounts of sensor generated data to smaller and
Wang, X., Gu, W., Chellappan, S., Schosek, K., &
more representative data sets that synthesize the
Xuan, D. (2005a). Lifetime optimization of sensor
state of the phenomena that the network is moni-
networks under physical attacks. Paper presented
toring.
at the IEEE International Conference on Commu-
nications, ICC ’05 (Vol. 5, pp. 3295-3301). Data Freshness: Implies that the sensed data
are recent, and it ensures that no adversary replayed
Wang, X., Gu, W., Chellappan, S., Xuan, D., & Lai,
old messages.
T. H. (2005b). Sacrificial node-assisted defense
against search-based physical attacks in sensor Insider Attacks: These types of attacks are
networks (Tech. Rep.). Ohio State University, De- those launched by adversaries that have access
partment of Computer Science and Engineering. to one or more compromised nodes in a network.
Insider attacks are the most challenging ones be-
Wang, X., Gu, W., Schosek, K., Chellappan, S., &
cause the adversary has access to the network’s
Xuan, D. (2005c). Sensor network configuration
cryptographic materials (i.e., keys, ciphers, and
under physical attacks. In X. Lu & W. Zhao (Eds.),
data).
ICCNMC (LNCS 3619, pp. 23-32). Springer.
Key Distribution:Processofefficiently-distrib
Watro, R. J., Kong, D., Fen Cuti, S., Gardiner, C.,
uting cryptographic keys to the nodes that belong
Lynn, C., & Kruus, P. (2004). TinyPK: Securing
to a network. These keys could either be pairwise
sensor networks with public key technology. In
keys (for two party communications), group keys
Setia & Swarup (pp. 59-64).
(for cluster-wide communication), or network keys
Wood, A. D., & Stankovic, J. A. (2002). Denial (for secure broadcast communication).
of service in sensor networks. IEEE Computer,
Mote: A wireless receiver/transmitter that is
5 3 (10), 54-62.
typically combined with a sensor of some type to
Ye, F., Luo, H., Lu, S., & Zhang, L. (2005). Sta- create a remote sensor. Some motes are designed
tistical en-route filtering of injected false data
to be incredibly small in
so that they can be deployed
sensor networks. IEEE Journal on Selected Areas by the hundreds or even thousands for various
in Communications, 23(4), 839-850. applications
Node Authentication: Process of ensuring that
a given node and its data are legit.
Security in Wireless Sensor Networks
Outsider Attacks: Attacks perpetrated by with wireless networks. Therefore, attacks such as
adversaries that do not have access to direct ac- replay messages and eavesdropping fall into this
cess to any of the authorized nodes in the network. classification.However,copingwiththisattackis
However, the adversary may have access to the fairly easy by using traditional security techniques
physical medium, particularly if we are dealing such as encryption and digital signatures.
Chapter XXXV
Security and Privacy in Wireless
Sensor Networks:
Challenges and Solutions
Mohamed Hamdi
University of November 7th at Carthage, Tunisia
Noreddine Boudriga
University of November 7th at Carthage, Tunisia
AbstrAct
The applications of wireless sensor networks (WSNs) are continuously expanding. Recently, consistent
researchanddevelopmentactivitieshavebeenassociatedtothisfield.Securityra
issues that should be discussed when deploying a WSN. This is basically due to the fact that WSNs are,
by nature, mission-critical. Their applications mainly include battlefield control, em
(when a natural disaster occurs), and healthcare. This chapter reviews recent research results in the
fieldofWSNsecurity.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
• Sensor nodes have limited storage, computa- also be proposed. This taxonomy is based
tion, and power resources. For this reason, on three major attack activities: (1) attacks
security mechanisms should be adapted to on transmitted information, (2) attacks on
the WSN capabilities. architecture, structure, protocols, and (3)
• The network does not have a static infra- attacks on the localization framework.
structure. WSN architectures can be only 4. Countermeasures: Potential security solu-
timelydefined.Thisrenderstheapplication tions that allow countering the aforemen-
of existing robust cryptographic mechanisms tioned threats will be proposed. They will be
(e.g., public key infrastructure [PKI], digital classifiedaccordingtothelevelatwhichthe
signature) more difficult than in customary act (e.g., link level, routing, and application).
networks. Countermeasures will be also categorized
• The sensing and communication tasks are into preventive and reactive solutions. For
often performed in a hostile environment example, robust localization (resp. fault-
where the gathered events are subjected to tolerance)schemesbelongtothefirstresp. (
numerousthreatsthatmightaffectsecond) thefinal category.
decision. 5. Building security policies for WSNs:
• The detected events are forwarded through Several key security processes, such as
the sensor nodes themselves, preventing the monitoring and incident response, can not
application of strong communication security be directly applied in the WSN field. They
mechanisms. should therefore be heavily adapted in order
tosupportWSNspecificconstraints.
This chapter surveys recent research activities
in the area of WSN security. More accurately, the
following aspects will be discussed: wIrElEss sEnsor nEtworks
1. Wireless sensor networks: This section ad- Due to advances in wireless communications and
dresses several WSN basic issues to highlight electronics over the last few years, the development
therelatedscientificchallenges. ofComponents,
networks of low-cost, low-power, multifunc-
architecture, topology, routing, mobile target tional sensors has received increasing attention.
tracking, and alert management will be, These sensors are small in size and able to sense,
among others, discussed. process data, and communicate with each other,
2. WSN security objectives: Traditional secu- typically over an radio frequency (RF) channel.
rity goals i. ( e., confidentiality, authenticity,
A sensor network is designed to detect events or
integrity, and availability) should be extended phenomena, collect and process data, and trans-
tofittherequirementsofWSNs.Several - par information to interested users. Basic
mit sensed
ticular concepts are introduced at this level. features of sensor networks are:
For instance, confidentiality, authenticity,
and integrity, which have been customarily • Self-organizing capabilities
associated to data and node identity, should be • Short-range broadcast communication and
extended to cover node location. This poses multihop routing
several new security challenges in the WSN • Dense deployment and cooperative effort of
context. sensor nodes
3. Attacks against WSNs: This section de- • Frequently changing topology due to fading
scribes the most important attacks techniques and node failures
concerningWSNs.Attacksareclassified - • ac
Limitations in energy, transmit power,
cording to the basic security properties they memory, and computing power
violate. A taxonomy of these attacks will
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
These characteristics, particularly the last three, of large numbers of inexpensive devices.
make sensor networks different from other wire- However, inexpensive devices can often be
less ad hoc or mesh networks. Clearly, the idea of unreliable and prone to failures. Rates of
mesh networking is not new; it has been suggested device failure will also be high whenever
for some time for wireless Internet access or voice the sensor devices are deployed in harsh or
communication. Similarly, small computers and hostile environments. Protocol designs must
sensors are not innovative per se. However, com- therefore have built-in mechanisms to provide
bining small sensors, low-power computers, and robustness. It is important to ensure that the
radios makes for a new technological platform that global performance of the system is not sen-
has numerous important uses and applications. sitive to individual device failures. Further,
Wireless sensor networks are interesting from it is often desirable that the performance of
an engineering perspective, because they present the system degrade as gracefully as possible
a number of serious challenges that cannot be ad- with respect to component failure.
equately addressed by existing technologies: • Synergy: Moore’s law-type advances in
technology have ensured that device capabili-
• Extended lifetime: As mentioned above, ties in terms of processing power, memory,
WSN nodes will generally be severely energy storage, radio transceiver performance, and
constrained due to the limitations of batteries. even accuracy of sensing improve rapidly
A typical alkaline battery, for example, pro- given
( a fixed cost). However, if economic
vides about 50 watt-hours of energy; this may considerations dictate that the cost per node be
translate to less than a month of continuous reduced drastically from hundreds of dollars
operation for each node in full active mode. to less than a few cents, it is possible that the
Given the expense and potential infeasibil- capabilities of individual nodes will remain
ity of monitoring and replacing batteries for constrained to some extent. The challenge
a large network, much longer lifetimes are is therefore to design synergistic protocols,
desired. In practice, it will be necessary in which ensure that the system as a whole is
many applications to provide guarantees that more capable than the sum of the capabilities
a network of unattended wireless sensors can of its individual components. The protocols
remain operational without any replacements must provide an efficient collaborative use
for several years. of storage, computation, and communication
• Responsiveness: A simple solution to extend- resources.
ing network lifetime is to operate the nodes in • Scalability: For many envisioned applica-
a duty-cycled manner with periodic switching tions, the combination of fine granularity
between sleep and wake-up modes. While sensing and large coverage area implies
synchronization of such sleep schedules is that wireless sensor networks have the po-
challenging in itself, a larger concern is that tential to be extremely large scale (tens of
arbitrarily long sleep periods can reduce the thousands, perhaps even millions of nodes
responsiveness and effectiveness of the sen- in the long term). Protocols will have to be
sors. In applications where it is critical that inherently distributed, involving localized
certain events in the environment be detected communication, and sensor networks must
and reported rapidly, the latency induced by utilize hierarchical architectures in order to
sleep schedules must be kept within strict provide such scalability. However, visions
bounds, even in the presence of network of large numbers of nodes will remain un-
congestion. realized in practice until some fundamental
• Robustness: The vision of wireless sensor problems, such as failure handling and in-situ
networks is to provide large scale, yet fine-
reprogramming, are addressed even in small
grained coverage. This motivates the use settings involving tens to hundreds of nodes.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
There are also some fundamental limits on Hence, appropriate security needs and techniques
the throughput and capacity that impact the should be defined for WSN environments while
scalability of network performance. borrowing concepts from the currently used secu-
• Heterogeneity: There will be a heterogeneity rity mechanisms. In the following, we highlight the
of device capabilities (with respect to com- most relevant, from security point of view, WSN
putation, communication, and sensing) in intrinsic features.
realistic settings. This heterogeneity can have
a number of important design consequences. Resource Limitations
For instance, the presence of a small number
of devices of higher computational capability Security mechanisms and processes necessarily
along with a large number of low-capability require a certain amount of processing, power,
devices can dictate a two-tier, cluster-based storage, and memory resources. However, sensor
network architecture, and the presence of nodes are often resource-impoverished. In the
multiple sensing modalities requires pertinent following, we detail the basic resource limitations
sensor fusion techniques. A key challenge is characterizing WSNs.
often to determine the right combination of
heterogeneous device capabilities for a given • Processing limitations: A custom proces-
application. sor for sensor nodes should essentially have
• Self-configuration: Because of their scale a low-power sleep mode, allowing reducing
and the nature of their applications, wireless energy consumption, and a low-overhead
sensor networks are inherently unattended wakeup mechanism, preventing the occur-
distributed systems. Autonomous opera- rence of network congestion due to signalling
tion of the network is therefore a key design messages. Ekanayake (2004) shows that the
challenge. From the very start, nodes in a processing speed offered by most of the avail-
wireless sensor network have to be able to able microcontrollers ranges between 4 and
configuretheirownnetworktopology: - local
400 MIPS. Even though this is a performance
ize, synchronize, and calibrate themselves, to implement the communication functions,
coordinate inter-node communication, and it turns out to be not sufficient to support
determine other important operating param- advanced security mechanisms, especially
eters. when a heavy traffic is exchanged across
• Privacy and security: The large scale, the WSN. For instance, it has been shown by
prevalence, and sensitivity of the information Blaßthat )05 2 ( atraditionalDiffie-Hellman
collected by wireless sensor networks (as key exchange operation would last 48.04
well as their potential deployment in hostile seconds on the AmtelMega processor. As a
locations)giverisetothefinalkeychallenge result, novel security algorithms should be
of ensuring both privacy and security. considered to keep up with the sensor node
processing limitations.
• Limited memory and storage space: A
wsn sEcurIty objEctIvEs sensor is a tiny device with only a small
amount of memory and storage space for the
wsn security challenges code. In order to build an effective security
mechanism, it is necessary to limit the code
WSNs are characterized by many constraints size of the security algorithm. For example,
compared to traditional communication networks. one common sensor type (TelosB) has an
Due to these particular constraints, the application 16-bit, 8 MHz RISC CPU with only 10K
of existing network security approaches does not RAM,K84 programmemory,andK420ash
fl 1
allow to fulfill the required security properties. storage. With such a limitation, the software
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
built for the sensor must also be quite small. more, the unreliable wireless communication
The total code space of TinyOS, the de-facto channel also results in damaged packets. A
standard operating system for wireless sen- higher channel error rate also forces the soft-
sors, is approximately 4 K (Hill 2000), and ware developer to devote resources to error
the core scheduler occupies only 178 bytes. handling. More importantly, if the protocol
Therefore, the code size for the all security lacks the appropriate error handling it is pos-
related code must also be reduced. sible to lose critical security packets. This
• Power limitation: Energy is the biggest may include, for example, a cryptographic
constraint to wireless sensor capabilities. We key.
assume that once sensor nodes are deployed • Collisions: WSNs impose strict requirements
in a sensor network, they cannot be easily on a medium access protocol. This is basically
replaced (high operating cost) or recharged due to the ad hoc architecture characterizing
(high cost of sensors). Therefore, the battery WSNs as well as the long network lifetime
chargetakenwiththemtothefieldmust needs.be
Moreover, as data are broadcasted over
conserved to extend the life of the individual the radio link, packets may collide resulting
sensor node and the entire sensor network. in decreasing of the channel throughput. De-
When implementing a cryptographic function pending on the medium access and transport
or protocol within a sensor node, the energy layer protocols, the information loss can reach
impact of the added security code must be a certain degree such that the analysis center
considered. When adding security to a sen- becomes no longer able to identify the events
sor node, we are interested in the impact that corresponding to the gathered data.
security has on the lifespan of a sensor (i.e., • Latency: Multihop routing, network con-
its battery life). The extra power consumed gestion, and node processing can lead to
by sensor nodes due to security is related to greater latency in the network, thus making
the processing required for security func- itdifficulttoachievesynchronizationamong
tions (e.g., encryption, decryption, signing sensor nodes. The synchronization issues
data, and verifying signatures), the energy can be critical to sensor security where the
required to transmit the security related security mechanism relies on critical event
data or overhead (e.g., initialization vectors reports and cryptographic key distribution.
needed for encryption/decryption), and the Interested readers please refer to Stankovic
energy required to store security parameters (2003) on real-time communications in wire-
in a secure manner (e.g., cryptographic key less sensor networks.
storage).
Uncontrollable Behavior
Data Loss
Depending on the function of the particular sensor
Certainly, unreliable communication is another network, the sensor nodes may be left unattended
threat to sensor security. The security of the net- for long periods of time. There are three main
work relies heavily on a defined protocol, which
caveats to unattended sensor nodes:
in turn depends on communication.
• Exposure to physical attacks: The sensor
• Unreliable transfer: Normally the packet- may be deployed in an environment open
based routing of the sensor network is con- to adversaries, bad weather, and so on. The
nectionless and thus inherently unreliable. likelihood that a sensor suffers a physical
Packets may get damaged due to channel attack in such an environment is therefore
errors or dropped at highly congested nodes. much higher than the typical PCs, which is
The result is lost or missing packets. Further- located in a secure place and mainly faces
attacks from a network.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
0
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
reference point. However, to ensure location party communication, data authentication can be
consistency, an attacking node would also have achieved through a purely symmetric mechanism:
to prove that its distance from another reference the sender and the receiver share a secret key to
point is shorter. Since it cannot do this, a node ma- compute the message authentication code (MAC)
nipulating the localization protocol can be found. of all communicated data.
For large sensor networks, the secure positioning Adrian Perrig et al. (2002) propose a key-chain
for sensor networks (SPINE) algorithm is used. It distribution system for their TESLA : secure
is a three phase algorithm based upon verifiableprotocol.ThebasicideaoftheTESLA
broadcast :
multilateration. system is to achieve asymmetric cryptography by
Lazos (2005) describes secure range-inde- delaying the disclosure of the symmetric keys. In
pendent localization (SeRLoc). Its novelty is its this case a sender will broadcast a message gener-
decentralized, range-independent nature. SeRLoc ated with a secret key. After a certain period of
uses locators that transmit beacon information. It time, the sender will disclose the secret key. The
is assumed that the locators are trusted and can- receiver is responsible for buffering the packet until
not be compromised. Furthermore, each locator the secret key has been disclosed. After disclosure
is assumed to know its own location. A sensor the receiver can authenticate the packet, provided
computes its location by listening for the beacon that the packet was received before the key was
information sent by each locator. The beacons disclosed.OnelimitationofTESLA : isthatsome
include the locator’s location. Using all of the bea- initial information must be unicast to each sensor
cons that a sensor node detects, a node computes node before authentication of broadcast messages
an approximate location based on the coordinates can begin. Liu and Ning (2003, 2004) propose an
of the locators. Using a majority vote scheme, the enhancement to the TESLA : system that uses
sensor then computes an overlapping antenna re- broadcasting of the key chain commitments rather
gion.Thefinalcomputedlocationisthe centroid
than TESLA’s
: unicastingtechnique.Theypresent
of the overlapping antenna region. All beacons a series of schemes starting with a simple prede-
transmitted by the locators are encrypted with a terminationofkeychainsandfinallysettlingona
shared global symmetric key that is preloaded to multilevel key chain technique. The multilevel key
the sensor prior to deployment. Each sensor also chain scheme uses predetermination and broadcast-
shares a unique symmetric key with each locator. ing to achieve a scalable key distribution technique
This key is also preloaded on each sensor. that is designed to be resistant to denial-of-service
(DoS) attacks, including jamming.
Authentication
Attacks against wsns
An adversary is not just limited to modifying
the data packet. It can change the whole packet Sensor networks are particularly vulnerable
stream by injecting additional packets. So the to several key types of attacks. Attacks can be
receiver needs to ensure that the data used in any performed in a variety of ways, most notably as
decision-making process originate from the cor- denial-of-service attacks, but also through traf-
rect source. On the other hand, when constructing fic analysis, privacy violation, physical attacks,
the sensor network, authentication is necessary and so on. Denial-of-service attacks on wireless
for many administrative tasks (e.g., network sensor networks can range from simply jamming
reprogramming or controlling sensor node duty the sensor’s communication channel to more so-
cycle). From the above, we can see that message phisticated attacks designed to violate the 802.11
authentication is important for many applications MAC protocol (Perrig 2004) or any other layer of
in sensor networks. Informally, data authentication the wireless sensor network.
allows a receiver to verify that the data really are Due to the potential asymmetry in power and
sent by the claimed sender. In the case of two- computational constraints, guarding against a well
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
orchestrated denial-of-service attack on a wireless to exchange messages with, at least, part of the
sensor network can be nearly impossible. A more network. The transport layer is also susceptible
powerful node can easily jam a sensor node and toattack,asinthecaseofooding. fl Floodingcan
effectively prevent the sensor network from per- be as simple as sending many connection requests
forming its intended duty. We note that attacks on to a susceptible node. In this case, resources must
wireless sensor networks are not limited to simply be allocated to handle the connection request.
denial-of-service attacks, but rather encompass a Eventually, a node’s resources will be exhausted,
variety of techniques including node takeovers, thus rendering the node useless.
attacks on the routing protocols, and attacks on a
node’s physical security. In this section, TrafficweAnalysis
first Attacks
address some common denial-of-service attacks
and then describe additional attacking, including Wireless sensor networks are typically composed
those on the routing protocols as well as an identity of many low-power sensors communicating with
based attack known as the Sybil attack. a few relatively robust and powerful base stations.
It is not unusual, therefore, for data to be gathered
Denial-of-Service Attacks by the individual nodes where they are ultimately
routed to the base station. Often, for an adversary
A standard attack on wireless sensor networks is to effectively render the network useless, the at-
simply to jam a node or set of nodes. Jamming, tacker can simply disable the base station. To make
in this case, is simply the transmission of a radio matters worse, Deng et al. (2005) demonstrate
signal that interferes with the radio frequencies two attacks that can identify the base station in
being used by the sensor network (Wood 2002). a network (with high probability) without even
The jamming of a network can come in two forms: understanding the contents of the packets (if the
constant jamming and intermittent jamming. packets are themselves encrypted).
Constant jamming involves the complete jamming A rate monitoring attack simply makes use
of the entire network. No messages are able to be of the idea that nodes closest to the base station
sent or received. If the jamming is only intermit- tend to forward more packets than those farther
tent, then nodes are able to exchange messages away from the base station. An attacker needs
periodically, but not consistently. This too can only to monitor which nodes are sending packets
have a detrimental impact on the sensor network and follow those nodes that are sending the most
as the messages being exchanged between nodes packets. In a time correlation attack, an adversary
may be time sensitive. Attacks can also be made simply generates events and monitors to whom a
on the link layer itself. One possibility is that an node sends its packets. To generate an event, the
attacker may simply intentionally violate the com- adversary could simply generate a physical event
munication protocol, for example, ZigBee or IEEE that would be monitored by the sensor(s) in the
801.11b (Wi-Fi) protocol, and continually transmit area (turning on a light, for instance).
messages in an attempt to generate collisions.
Such collisions would require the retransmission Wormhole Attacks
of any packet affected by the collision. Using this
technique it would be possible for an attacker to In a wormhole attack, an attacker receives pack-
simply deplete a sensor node’s power supply by ets at one point in the network, “tunnels” them
forcing too many retransmissions. At the routing to another point in the network, and then replays
layer, a node may take advantage of a multihop them into the network from that point. For tun-
network by simply refusing to route messages. nelled distances longer than the normal wireless
This could be done intermittently or constantly transmission range of a single hop, it is simple for
with the net result being that any neighbor who the attacker to make the tunneled packet arrive
routes through the malicious node will be unable with better metric than a normal multihop route,
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
for example, through use of a single long-range can imply the position of pandas by monitoring
directional wireless link or through a direct wired the traffic. The main privacy problem, however,
link to a colluding attacker. It is also possible for is not that sensor networks enable the collection of
the attacker to forward each bit over the wormhole information. In fact, much information from sen-
directly, without waiting for an entire packet to sor networks could probably be collected through
be received before beginning to tunnel the bits of direct site surveillance. Rather, sensor networks
the packet, in order to minimize delay introduced aggravate the privacy problem because they make
by the wormhole. Due to the nature of wireless large volumes of information easily available
transmission, the attacker can create a wormhole through remote access. Hence, adversaries need
even for packets not addressed to it, since it can not be physically present to maintain surveil-
overhear them in wireless transmission and tun- lance. They can gather information in a low-risk,
nel them to the colluding attacker at the opposite anonymous manner. Remote access also allows a
end of the wormhole. If the attacker performs this single adversary to monitor multiple sites simulta-
tunneling honestly and reliably, no harm is done; neously (Chan 2003). Some of the more common
the attacker actually provides a useful service in attacks (Chan 2003; Gruteser 2003) against sensor
connectingthenetworkmoreefficiently. However,
privacy are:
the wormhole puts the attacker in a very powerful
position relative to other nodes in the network, and • Monitor and eavesdropping: This is the most
the attacker could exploit this position in a variety obvious attack to privacy. By listening to the
of ways. The attack can also still be performed data, the adversary could easily discover the
even if the network communication provides communication contents. When the traffic
confidentiality and authenticity, and even conveysif the
the control information about the
attacker has no cryptographic keys. Furthermore, sensornetworkconfiguration,whichcontains
the attacker is invisible at higher layers; unlike a potentially more detailed information than
malicious node in a routing protocol, which can accessible through the location server, the
often easily be named, the presence of the wormhole eavesdropping can act effectively against the
and the two colluding attackers at either endpoint privacy protection.
of the wormhole are not visible in the route. The • Traffic analysis: Traffic analysis typically
wormhole attack is particularly dangerous against combines with monitoring and eavesdrop-
many ad hoc network routing protocols in which ping. An increase in the number of transmitted
the nodes that hear a packet transmission directly packets between certain nodes could signal
from some node consider themselves to be in range thataspecificsensorhasregisteredactivi
of (and, thus a neighbor of) that node. Through the analysis on the traffic, some
sensors with special roles or activities can
Attacks against Privacy beeffectivelyidentified.
• Camouflage: Adversaries can insert their
Sensor network technology promises a vast increase node or compromise the nodes to hide in
in automatic data collection capabilities through the sensor network. After that these nodes
efficientdeploymentoftinysensordevices.can While
masquerade as a normal node to attract
these technologies offer great benefitsthe topackets,
users, then misroute the packets, for
they also exhibit significant potentialexample, for abuse.
forward the packets to the nodes
Particularly relevant concerns are privacy prob- conducting the privacy analysis.
lems, since sensor networks provide increased data
collection capabilities (Gruteser 2003). Adversaries Physical Attacks
can use even seemingly innocuous data to derive
sensitive information if they know how to correlate Sensor networks typically operate in hostile out-
multiple sensor inputs. For example, in the famous door environments. In such environments, the small
“panda-hunter problem” (Ozturk 2004), the hunter form factor of the sensors, coupled with the unat-
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
tended and distributed nature of their deployment, unsuitable in low power devices such as wireless
make them highly susceptible to physical attacks, sensor networks. This is due largely to the fact
that is, threats due to physical node destructions that typical key exchange techniques use asym-
(Wang 2004). metric cryptography, also called public key cryp-
Unlike many other attacks mentioned above, tography. In this case, it is necessary to maintain
physical attacks destroy sensors permanently, so two mathematically related keys, one of which is
the losses are irreversible. For instance, attackersmade public while the other is kept private. This
can extract cryptographic secrets, tamper with the allows data to be encrypted with the public key and
associated circuitry, modify programming in the decrypted only with the private key. The problem
sensors, or replace them with malicious sensors with asymmetric cryptography, in a wireless sensor
under the control of the attacker (Wang 2004). network, is that it is typically too computation-
Recent work has shown that standard sensor nodes, ally intensive for the individual nodes in a sensor
such as the MICA2 motes, can be compromised in network. This is true in the general case, however,
less than one minute (Hartung 2004). While these Gaubatz (2004), Gura (2004), Malan (2004), and
results are not surprising given that the MICA2 Watro (2004) show that it is feasible with the right
lacks tamper resistant hardware protection, they selection of algorithms.
provide a cautionary note about the speed of a Symmetric cryptography is therefore the typi-
well-trained attacker. If an adversary compromises cal choice for applications that cannot afford the
a sensor node, then the code inside the physical computational complexity of asymmetric cryptog-
nodemaybemodified. raphy. Symmetric schemes utilize a single shared
key known only between the two communicating
Countermeasures hosts. This shared key is used for both encrypt-
ing and decrypting data. The traditional example
Now we are in a position to describe the measures of symmetric cryptography is data encryption
for satisfying security requirements and protecting standard (DES). The use of DES, however, is
the sensor network from attacks. We start with key quite limited due to the fact that it can be broken
establishment in wireless sensor networks, which relatively easily. In light of the shortcomings of
lays the foundation for the security in a wireless DES, other symmetric cryptography systems have
sensor network, followed by defending against been proposed including triple DES (3DES), RC5,
DoS attacks, secure broadcasting and multicasting, AES, and so on.
defending against attacks on routing protocols, One major shortcoming of symmetric cryptog-
combating traffic analysis attacks,raphy defending
is the key exchange problem. Simply put, the
against attacks on sensor privacy, intrusion detec- key exchange problem derives from the fact that
tion, secure data aggregation, defending against two communicating hosts must somehow know the
physical attacks, and trust management. shared key before they can communicate securely.
So the problem that arises is how to ensure that the
key Management fundamentals shared key is indeed shared between the two hosts
who wish to communicate and no other rogue hosts
Key management issues in wireless networks are who may wish to eavesdrop. How to distribute a
not unique to wireless sensor networks. Indeed, shared key securely to communicating hosts is a
key establishment and management issues have nontrivial problem since predistributing the keys
been studied in depth outside of the wireless net- is not always feasible.
working arena. Traditionally, key establishment
is done using one of many public-key protocols. key Establishment
One of the more common is the Diffie-Hellman
public key protocol, but there are many others. One security aspect that receives a great deal of
Most of the traditional techniques, however, are attention in wireless sensor networks is the area
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
of key management. Wireless sensor networks are keys are used depending on whom the sensor node
unique (among other embedded wireless networks) is communicating with. Sensors are preloaded
in this aspect due to their size, mobility, and com- with an initial key from which further keys can
putational/power constraints. Indeed, researchers be established. As a security precaution, the initial
envision wireless sensor networks to be orders of key can be deleted after its use in order to ensure
magnitude larger than their traditional embedded that a compromised sensor cannot add additional
counterparts. This, coupled with the operational compromised nodes to the network.
constraints described previously, makes secure key In PIKE (Chan 2005), Chan and Perrig describe
management an absolute necessity in most wireless a mechanism for establishing a key between two
sensor network designs. Because encryption and sensor nodes that is based on the common trust of
key management/establishment are so crucial to the a third node somewhere within the sensor network.
defense of a wireless sensor network, with nearly The nodes and their shared keys are spread over the
all aspects of wireless sensor network defenses network such that for any two nodes A and B, there
relyingonsolidencryption,wefirstbegin is awith
node C anthat shares a key with both A and B.
overview of the unique key and encryption issues Therefore, the key establishment protocol between
surrounding wireless sensor networks before dis- A and B can be securely routed through C.
cussingmorespecificsensornetworkdefenses. Huang et al. (2003) propose a hybrid key
establishment scheme that makes use of the dif-
WSN Key Management Protocols ference in computational and energy constraints
between a sensor node and the base station. They
Random key predistribution schemes have several posit that an individual sensor node possesses far
variants. Eschenauer and Gligor (2002) propose a less computational power and energy than a base
key predistribution scheme that relies on probabi- station.
listic key sharing among nodes within the sensor In light of this, they propose placing the major
network. Their system works by distributing a key cryptographic burden on the base station where
ring to each participating node in the sensor network the resources tend to be greater. On the sensor
before deployment. Each key ring should consist side, symmetric-key operations are used in place
of a number randomly chosen keys from a much of their asymmetric alternatives. The sensor and
largerpoolofkeysgeneratedoffline.An - enhance
the base station authenticate based on elliptic curve
ment to this technique utilizing multiple keys is cryptography. Elliptic curve cryptography is often
described by Chan (2003). Further enhancements used in sensors due to the fact that relatively small
are proposed by Deng (2005) and (Liu 2005) with key lengths are required to achieve a given level
additional analysis and enhancements provided of security.
by Hwang (2004). Using this technique, it is not Huang et al. also use certificates to establis
necessary that each pair of nodes share a key. the legitimacy of a public key. The certificates
However, any two nodes that do share a key may are based on an elliptic curve implicit certifica
use the shared key to establish a direct link to one scheme(Huangetal.Such . ) 30 2 , certificatesare
another. Eschenauer and Gligor show that, while useful to ensure both that the key belongs to a
not perfect, it is probabilistically likely that large device and that the device is a legitimate member
sensor networks will enjoy shared-key connectivity. of the sensor network.
Further, they demonstrate that such a technique Eachnodeobtainsacertificatebeforejoining
can be extended to key revocation, rekeying, and the network using an out-of-band interface.
the addition/deletion of nodes. The LEAP protocol
described by Zhu et al. (2003) takes an approach WSN and Public Key Cryptography
that utilizes multiple keying mechanisms. Their
observation is that no single security requirement Two of the major techniques used to implement
accurately suites all types of communication in a public-key cryptosystems are RSA and elliptic
wireless sensor network. Therefore, four different curve cryptography (ECC). Traditionally, these
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
casting strategy. In the simple node broadcasting 2. Developing scalable security mechanisms:
strategy each sensor propagates an authenticated A common practice is to use exaggerated tools
broadcast message throughout the entire sensor of information security, which decrease ef-
network. Any node that receives a conflicting ficiency or andsystemavailabilityandintroduce
duplicatedclaimrevokestheconflictingnodes. redundancy. This Another effect of exaggeration
strategy will work, but the communication cost is of the security mechanisms is increasing
far too expensive. In order to reduce the commu- the system complexity, which later influ-
nication cost, a deterministic multicast could be ences implementation of a given project in
employed where nodes would share their locations practice, especially increasing expenses and
with a set of witness nodes. In this case, witnesses decreasing efficiency. The solution of this
are computed based on a node’s ID. In the event inconsistency seems to be the introduction
that a node has been replicated on the network, of scalable security model, which can change
twoconflictinglocationswillbeforwarded theto the level depending on particular
security
same witness who can then revoke the offending conditions of a given case. In this chapter
nodes. But since a witness is based on a node’s ID, a mechanism, which can modify the level
it can easily be computed by an attacker who can of information security for each phase of a
then compromise the witness nodes. Thus, securely protocol, is presented. Parameters, which
utilizing a deterministic multicast strategy would influencemodificationofthesecuritylevel,
require too many witnesses and the communica- are the risk of successful attack, probability
tion cost would be too high. of successful attack, and some measures of
independence (leading to completeness) of
security elements. The used security ele-
futurE trEnds ments, which take care of the protection of
information, are based mainly on PKI serv-
Research on WSN security is still in infancy. Many ices and cryptographic modules.
key issues have not been sufficiently detailed 3. Securingorhybrid broadband wireless
have even remained unexplored. In the near future, sensor networks (HBWSNs): High-speed
advanced security features may be built into the WSNs begin to be widely used in different
sensor nodes available in the market. While their applications. Securing the corresponding
prospects look shiny, these security functionalities ows
fl encompassesthedevelopmentofnovel
have surprisingly received little attention from the concepts that do not rely on thorough inspec-
research community. In the following, we describe tion of the transmitted packets but rather on
the most interesting (in our sense) WSN-related the control of a set of relevant samples that
research aspects. are representative with respect to the total
ow.fl
1. Building security policies for WSNs: Due to 4. Defining secure correlation functions: Two
their ad hoc topology, WSNs can not conform novels aspects are being investigated in the
to traditional rigid security policies. WSN- field of WSN security: blind correlation and
oriented security policies shouldrecursive be ask
fl signature.Thefirstconsists - incor
enoughtosupportthecontinuouslymodified relating encrypted events without revealing
network constituency and structure. The their content in order to optimize the use of
WSNarchitectureshouldthereforebeexible fl networking and processing resources. The
in their support of security policies, provid- second is applicable when, within a transmis-
ingsufficientmechanismsforsupporting the
sion chain, a set of nodes recursively sign
wide variety of real-world security policies. the event. This is a particularly challenging
Appropriate formalisms to build, model, problem in the WSN context because the
validate, verify, and test such architectures intermediary nodes are resource-impover-
should be evolved. ished.
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Journal, Special Issue on Sensor Network Appli- Wang, X. G., W. Schosek, K., Chellappan, S., &
cations and Protocols, 1(2-3), 293-315. Xuan, D. .)024( Sensor network configuration
under physical attacks. D. o. C. S. a. engineering.
Lazos, L. P., & R. (2005). SERLOC: Robust
Ohio-State University. Retrieved October 9, 2007,
localization for wireless sensor networks. ACM
from www.springerlink.com/index/E5T6KWNK-
Transactions on Sensor Networks, 1(1), 73-100.
MABWR672.pdf
Liu, D. N., & P. (2003). Efficientdistributionofkey
Watro, R. K., D. Cuti, S., Gardiner, C., Lynn, C.,
chain commitments for broadcast authentication.
& Kruus, P. (2004). TinyPK: Securing sensor net-
Paper presented at the10th Annual Network and
works with public key technology. Paper presented
Distributed System Security Symposium, San
at the 2nd ACM Workshop on Security of Ad hoc
Diego.
and Sensor Networks, New York. ACM Press.
Liu, D. N., & P. (2004). Multilevel µTesla: Brodcast
Wood, A. D. S., & J. A. (2002). Denial of service
authentication for distributed sensor networks.
in sensor networks. Computer,5(10), 3 54-62.
Transactions on Embedded Computing Systems,
3(4), 800-836. Zhu, S. S., S., & Jajodia, S. (2003). LEAP:Efficient
security mechanisms for large-scale distributed
Liu, D. N., P., & Li, R. (2005). Establishing pair-
sensor networks. Paper presented at the 10th ACM
wise keys in distributed sensor networks. ACM
Conference on Computer and Communications
Transactions on Information Systems Security,
Security, New York. ACM Press.
8(1), 41-47.
Malan, D. J. W., M., & Smith, M. D. (2004). A
public-key infrastructure for key distribution in Ti- kEy tErMs
nyOS based on elliptic-curve cryptography. Paper
presented at the 1st Annual IEEE Communications Camouflage: Adversaries can insert their node
Society Conference on Sensor and Ad Hoc Com- or compromise the nodes to hide in the sensor net-
munications and Networks, Santa Clara, CA. work. After that these nodes can masquerade as a
normal node to attract the packets, then misroute
Ozturk, C. Z., Y., & Trappe, W. (2004). Source-
the packets.
location privacy in energy-constrained sensor
network routing. Paper presented at the 2nd ACM Denial-of-Service Attack: An attack aiming
Workshop on Security of Ad Hoc and Sensor at disrupting the acquisition of information within
Networks, New York. a geographical zone or preventing the communi-
cation of alert and signalling messages between
Parno, B. P., A., & Gligor, V. (2005). Distributed
sensor nodes.
detection of node replication attacks in sensor
networks. Paper presented at the IEEE Symposium Key Management: Process of generating,
on Security and Privacy, Oakland, CA validating, exchanging, and renewing asymmetric
and symmetric keys.
Perrig, A. S., R. Tygar, J. D., Wen, V., & Culler,
D. E. (2002). SPINS: Security protocols for sensor Rate Monitoring Attack: A rate monitoring
networks. Wireless Networking, 8(5), 521-534. attack simply makes use of the idea that nodes clos-
est to the base station tend to forward more packets
Perrig, A. S., J., & Wagner, D. (2004). Security in
than those farther away from the base station.
wireless sensor networks. Communications ACM,
47(6), 53-57. Wireless Sensor Network (WSN): Dense col-
lection of tiny sensor motes deployed in a region
Stankovic, J. A. (2003). Real-time communication
of interest to gather information about a speci
and coordination in embedded sensor networks.
phenomenon for later analysis. WSNs allow ef-
ProceedingsoftheIEEE,(7). 19
0
Security and Privacy in Wireless Sensor Networks: Challenges and Solutions
Chapter XXXVI
Routing Security in Wireless
Sensor Networks
A.R. Naseer
King Fahd University of Petroleum & Minerials, Dhahran
Ismat K. Maarouf
King Fahd University of Petroleum & Minerials, Dhahran
Ashraf S. Hasan
King Fahd University of Petroleum & Minerials, Dhahran
AbstrAct
Since routing is a fundamental operation in all types of networks, ensuring routing security is a necessary
requirement to guarantee the success of routing operation. Securing routing task gets more challenging
as the target network lacks an infrastructure-based routing operation. This infrastructure-less nature that
invites a multihop routing operation is one of the main features of wireless sensor networks that raises
the importance of secure routing problem in these networks. Moreover, the risky environment, application
criticality, and resources limitations and scarcity exhibited by wireless sensor networks make the task
ofsecureroutingmuchmorechallenging.Allthesefactorsmotivateresearcherstofind
and approaches that would be different from the usual approaches adopted in other types of networks.
The purpose of this chapter is to provide a comprehensive treatment of the routing security problem in
wireless sensor networks. The discussion flow of the problem in this chapter begins wit
on wireless sensor networks that focuses on routing aspects to indicate the special characteristics of
wireless sensor networks from routing perspective. The chapter then introduces the problem of secure
routing in wireless sensor networks and illustrates how crucial the problem is to different networking
aspects.Thisisfollowedbyadetailedanalysisofroutingthreatsandattacksthata
routing operation in wireless sensor networks. A research-guiding approach is then presented to the
reader that analyzes and criticizes different techniques and solution directions for the secure routing
problem in wireless sensor network. This is supported by state-of-the-art and familiar examples from the
literature.Thechapterfinallyconcludeswithasummaryandfutureresearchdirectio
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Routing Security in Wireless Sensor Networks
Routing Security in Wireless Sensor Networks
be presented. These differences are explained in a whether the solution will prevent the attack or avoid
way that emphasizes to the reader how they make it after detection. This section gives a comparison
WSN an independent research target as compared between these approaches based on the severity
with MANET. of the threats and WSN conditions and resources
Section 3, being the routing security section, availability. In this section, cryptographic-based
definespreciselytheproblemofsecureand routing in
noncryptographic-based approaches will be
general. This section will discuss the requirements discussed and the tradeoffs with resources will
for secure routing in WSN. This will be followed by also be analyzed. Examples of such solutions will
the challenges and constraints in WSN to achieve be provided with a focus on how these solutions
secure routing. After the reader understands the meet secure routing goals and what drawbacks
routing security problem in WSN, the reader will they exhibit. Reputation-based solution will be
be given a critical discussion about the importance discussed as a detection approach by presenting
of this problem. This will also include an explana- the general concept of reputation systems, fol-
tion of the relationship between routing security lowed by suggestions and approaches in reputation
and different network aspects like survivability, systemsolutionsthatcanfitWSNsecurerouting
connectivity and network partitioning, throughput, requirements.
packet delay, and so forth.
Section 4 on routing attacks and threats presents
in brief the different possible communication mod- bAckground
els and trust relationships between WSN nodes that
a threat will be based on. It will clearly show how wireless sensor network overview
researcher assumptions on nodes communication
models and nodes relationships will impact the WSN is an ad hoc-like deployment of a large number
security analysis. In this section, the reader will of sensor nodes that are intended to monitor and
be provided with a global picture of the approaches communicate information pertaining to a phe-
and techniques that are used by the attackers. This nomenon or an event of interest. The deployment
will also include a discussion of the holes and is either random or utilizes predetermined loca-
weakness points that are exploited to achieve such tions near or inside the phenomenon. The typical
attacks. Some examples of famous attacks will be deployment scenario of WSN is depicted in Figure
given with explanation. The explanation will focus 1, where a number of sensor nodes are scattered in
on how the attack works by exploiting the routing thesensorfield.Thesensornodescollectdatafro
protocol aspects. Thus, the section will also show thefieldandroutethedatathroughthemultih
the robustness level that is provided by different structure of the network to a specialized node
routing protocols. How we can think secure and referred to as the sink or base station. Finally, the
provide robust solutions against routing attacks sink may communicate the raw data or a processed
and threats will be the subject of this section. The version to the end-user utilizing an infrastructure
section gives examples of how an attack can be network such as the Internet.
prevented or detected as a tip for a more general
approach. Applications of wsn
Section 5, “Routing Security Solutions and
Techniques,” explains the objectives to be met Duetotheversatilityandexibility fl ofWSN,ithas
when developing a routing security solution. These found many applications especially in situations
security objectives are explained under the lights where direct probing or measurement of the event
of WSN constraints. Thus, the reader will be aware of interest is either costly or risky. WSNs facilitate
of the tradeoffs that should be considered in the many applications including:
design.Afirststepinthesolutiondesignistodecide
Routing Security in Wireless Sensor Networks
Figure1.Sensornodesdeploymentinasensorfield
Sensor node
User
Routing Security in Wireless Sensor Networks
Figure 2. Wireless sensor network: (a) node structure, and (b) protocol stack
Application Layer
Mobility Management
Controller
RF Sensor/
ADC
Transceiver Actuator
Power Management
Memory
Transport Layer
Network Layer
Power
Power unit
generator
Data Link/MAC Layer
Typical module
Physical Layer
optional module
(a) (b)
Figure 2: Wireless sensor network: (a) node structure, and (b) protocol stack.
Routing Security in Wireless Sensor Networks
Node population: Typically the number of Addressing and identification: WSN nodes
nodes deployed in a WSN is orders of magnitude usuallydonotpossessauniqueidentificationIDas
greater than the number of nodes in a MANET. opposed to ad hoc node in a MANET where every
This is of course a function of the application nodeisidentifiedbyitsmediaaccesscontrol(MAC)
and the sensor field. In addition, wireless addresssensor
or the Internet address. Nodes within a
nodes usually have shorter communication range sensorfieldorganizeandestablishamechanismto
compared to their counterparts in MANET. This identify adjacent nodes and perform the required
implies that the deployment density for sensor functionality.
nodes may be significantly higher than that for
the MANET.
Routing Security in Wireless Sensor Networks
Routing Security in Wireless Sensor Networks
ent disadvantage of insecure wireless communi- Considering the above modified model, the
cation, limited node capabilities, possible insider attacks can be categorized as passive and active
threats, and the stronger attacker has the all-time attacks. In passive attacks, eavesdropper can
advantage of possessing powerful laptops with high continuously monitor the whole sensor network
energy and long range communication to launch and can launch two types of passive attacks: (i)
severe attack to the network. Most of the routing cipher text attack wherein given the cipher text,
protocols have not been designed with security as the adversary tries to recover the encryption key,
a goal. All of the proposed network routing pro- and (ii) chosen plain text attack wherein the at-
tocols in the literature are more prone to attacks. tacker can feed the sensor with known data and
Attackerscanattractorrepeltraffic ows,
fl observe
then increase
the encrypted message sent by the
latency, or disable the entire network, sometimes sensor. In active attacks, the attacker can capture a
with little effort. sensor, stealing all the information and keys stored
in the sensor. Hence, providing, maintaining, and
threat Models ensuringproperconfidentialityandauthenticit
data is a paramount importance within the limited
Inordertodefinearobustsecuritymodel, - specifica
inherent constraints of the underlying wireless
tion of both the security requirements and the threat sensor networks.
model are required. The security requirements Sensornetworkattackerscanbeclassifiedint
identify the properties that have to be enforced two categories depending upon their capabilities
and the initial assumptions. The threat model (Karlof & Wagner, 2003). They are mote-class
formulates the hypothesis regarding the attacker’s attacker and laptop-class attacker.
capabilities and its possible behavior. A common Mote-class attacker has access to a few ordinary
assumption is that the attacker is compliant with sensor nodes with lesser capability and might only
the Dolev-Yao threat model (Dolev & Yao, 1983) be able to jam the radio link in its immediate vicin-
which is often used to formally analyze crypto- ity. They have limited range and cannot eavesdrop
protocols in communication networks. According on entire network, moreover, cannot coordinate
to this model, when two communicating parties their efforts to bring down the network.
communicate over an insecure channel, the attacker Laptop-class attacker has access to more power-
can gain control over the communication network ful devices like laptops with greater battery power,
to perform the following actions: more capable processor, a high-power transmitter,
and a sensitive antenna. These attackers might be
• Over hear the messages between the parties, able to jam the entire network using a stronger
intercept them, and prevent their delivery to transmitter and might be able to eavesdrop on an
the intended recipient. entire network. Laptop-class attackers might pos-
• Introduce forged messages into the system sess a high bandwidth, low-latency communication
using all the available information. channel invisible to legitimate sensor nodes thereby
setting up separate channels to allow such attackers
But this threat model also assumes that the end to communicate and coordinate their efforts.
nodes are not themselves subject to attack. In order Further,sensornetworkattackscanbeclassifie
to take into account the distinguishing feature of as outsider (external) attacks and insider (internal)
WSNs that the sensors may be unattended and end attacks. Outsider attacks are launched by outsiders
nodes cannot, in general, be trusted, the following who have no special or legitimate access to the
more powerful action is required to be included sensor network, that is, they do not have authentic
in the model: keying material to participate in network operations
as legitimate nodes. Insider attacks occur when
• An attacker can capture a sensor node and an authorized participant in the sensor network
acquire all the information stored within it. has gone bad or compromised. The insider attack
Routing Security in Wireless Sensor Networks
may be mounted from either compromised sen- we consider tactical military network deployment
sor nodes running a malicious code or attackers forwar-fieldsurveillance,whereasfornoncritica
using laptop-class devices to attack the network commodity, sensor networks a less strong threat
after stealing the key material, code and data from modelmaysuffice.
legitimate nodes. Outsider attackers, once in full Anewthreatmodeltocommunication - confiden
control of certain nodes, can become insider ones tiality in WSNs termed as “smart attacker model” is
able to launch more subtle attacks. Insider attacks introduced by Di Pietro, Mancini, and Mei (2006).
aregenerallymoredifficulttodefendagainst than predeployment schemes (see
All the random-key
the outsider ones because of their possession of section 5 for detailed discussion) proposed in the
keying material. literature use an oblivious attacker model that at
In most of the threat models proposed in the each step the attack sequence randomly chooses
literature, it is assumed that the environments a sensor node to tamper without taking advantage
in which the sensors deployed are risky and un- of the information regarding the keys acquired
trusted. Each sensor trusts itself, but sensors do during the previous attacks. Contrary to this, the
not trust each other. Further, it is assumed that all smart attacker model greedily uses the previous
the compromised sensors in the sensor network attacks keys acquired information to choose the
are compromised by the same attacker and thus best sensor to tamper with in order to compromise
collude to compromise the network. The attacker the communication confidentiality. This reduces
may compromise multiple sensor nodes in the net- greatlythelevelofcommunicationconfidentiali
work, and there is no upper bound on the number of provided by all the random key predeployment
compromised nodes. However, the attacker cannot schemes
compromise the base station, also termed as sink,
which is typically resourceful and well protected. routing Attacks and Examples
Once a sensor node is compromised, all the secret
keys, data, and code stored on it are exposed to Any event that decreases or eliminates a network’s
the attacker. The attacker can load a compromised capacity to perform its expected function is termed
node with secret keys obtained from other nodes, as a denial-of-service attack or commonly known
termed as collision, among compromised nodes. In as a DoS attack (Wood & Stankovic, 2002). Some
other words, the goal of the attacker is to uncover of the major causes for DoS attacks are hardware
the keys used in the system in order to disrupt failures, software bugs, resource exhaustion, ma-
the network operation. In order to achieve this, licious attacks, and environmental conditions. A
the attacker compromises individual nodes and significantchallengeinsecuringlarge - sensornet
fosters collusion among nodes. The main objective works is their inherent self-organizing, decentral-
of node collusion is to incrementally aggregate the ized nature. Many of the network deployments are
uncovered keys of individual nodes to a level that vulnerable to immensely more powerful attackers.
allencryptedtrafficinthenetworkis completely
Considering the layered network architecture of
revealed. It is also assumed that the attacker can- sensor networks depicted in Figure 2(b), the DoS
not successfully compromise a node during the vulnerabilitiestothefirstfourlayersofthes
sensor deployment phase which is short, that is, canbeidentified(Wood&Stankovic,)as: 02
the interval of tens of seconds when each sensor
bootstraps itself, during which the sensor nodes • Physical layer attacks: The most common
obtain their location information and derive few attacks to the physical layer of a WSN are
keys. Indeed, such attacks can be prevented in jamming and node physical tampering.
many of the real-life scenarios when appropriate • Data link layer attacks: Collisions, unfair-
network planning and deployment are carried out ness, or exhaustion of resources are the at-
to keep away attackers during the bootstrapping tacks that can be launched against the data
process. However, it should be noted that stronger link layer of a sensor network.
threat (attacker) models need to be applied when
0
Routing Security in Wireless Sensor Networks
• Network layer attacks: The possible rout- For example, since routing updates are not
ing layer attacks are routing information authenticated in a TinyOS beaconing protocol, it
spoofing, alteration or replay, blackhole is possible for any malicious node to claim itself
and selective forwarding attacks, sinkhole to be a base station and become the destination
attacks, Sybil attacks, wormhole attacks, ofalltrafficinthenetwork.Moteclassattacker
HELLOood
fl attacks,andacknowledgement can create very easily routing loops by spoofing
spoofing. routing updates. In GPSR, an adversary can forge
• Transport layer attacks: The most common location advertisements to create routing loops in
attackstotransportlayerareooding fl dataattacks
ows
fl without having to actively participat
and desynchronization attacks. in packet forwarding.
Since our main focus in this chapter is towards Black hole and selective forwarding attack:
routing security, a detailed discussion on network Multihop networks basically work on the assump-
layer or routing attacks will be presented next. tion that nodes will participate faithfully in the
Sensornetworkroutingattackscan beclassified
forwarding of the received messages. In a blackhole
into the following categories (Karlof & Wagner, attack, a malicious node refuses to forward every
2003): packet it receives thereby behaving like a block hole.
In a selective forwarding attack, a malicious node
• Routing information spoofing, alteration selectivelyorforwards the packets, that is, a mali-
replay cious node may refuse to forward certain messages
• Blackhole and selective forwarding attacks and simply drop them thereby ensuring that these
• Sinkhole attacks packets are not propagated any further. The mali-
• Sybil attacks cious node interested in suppressing or modifying
• Wormhole attacks the packets originating from a few selected nodes
• HELLOood
fl attacks canreliablyforwardtheremainingtrafficthereby
• Acknowledgementspoofing limiting the suspicion of its misbehavior. In order
to launch a selective forwarding attack effectively,
Routing information spoofing, alteration, the attacker must follow the path of least resistance
or replay: Targeting the routing information ex- and attempt to include explicitly the attacker’s self
changed between the nodes is the most direct attack ontheactualpathofthedataow. fl
againstaroutingprotocol.Byspoofing,altering,
or replaying routing information, an attacker can Most of the sensor network routing protocols
disrupt the network by creating routing loops, at- such as TinyOS beaconing, directed diffusion
tractingorrepellingnetworktraffic,and extending or variant, geographic routing
its multipath
shortening source routes, generating false error (e.g., GPSR, GEAR), minimum cost forwarding,
messages, partitioning the network, or increasing clustering-based protocols (e.g., LEACH, TEEN,
the end-to-end latency. PEGASIS), and rumor routing, are highly prone
to selective forwarding attacks.
Most of the sensor network routing protocols For example, In LEACH protocol, nodes choose
such as TinyOS beaconing, directed diffusion a cluster-head based on received signal strength. A
and its multipath variant, geographic routing laptop-class attacker can take advantage of this to
(e.g., GPSR, geographic and energy aware routing send a powerful advertisement to all nodes in the
[GEAR]), minimum cost forwarding, rumor rout- network in order to mount a selective forwarding
ing, energy conserving, and topology maintenance attack on the entire network using a small number
protocols (e.g., SPAN, GAF, CEC, AFECA) are of nodes if the target number of cluster-heads or
prone to bogus routing information attacks. thesizeofthenetworkissufficientlysmall.
Routing Security in Wireless Sensor Networks
592
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
quadruple in number between now and 2008, from link layer. Virtually all Bluetooth devices support
under 100 million to about 440 million. Bluetooth this feature, and it is, in most cases, considered to
enabled devices are used in several different envi- be adequately secure. However, this may not be
ronments and cover a wide range of applications. applicable for all deployment scenarios. In order to
For instance, for mobile applications, the device establish a secure channel with another Bluetooth
periodically connects to the network to download device, a preshared secret called PIN is required. A
music,totransferfiles,ortosynchronize withone’s
symmetric key is generated from this PIN. On cus-
desktoponcalendarandotherfiles.Consequently, tomer devices this PIN typically consists of four or
the safety and security of these applications, for fivedigits.Supposingawholepiconetnetworkwould
instance, the security of the private information utilize this PIN to encrypt its communication, anyone
stored on the devices, becomes a major issue. By acquiring this PIN could theoretically decrypt all
attacking actively or passively the communica- communication. On top of that, in applications like
tion link, aggressors could obtain personal and VoIP that mandate IP connectivity to access points
also important business data. However, security (APs), the encryption would end at the AP, which
features (Gehrmann, Persson, & Smeets, 2004) means that the AP, or any host that can manipulate
must be carefully considered and analyzed in order the communication between the Mobile Device and
to decide whether Bluetooth technology indeed the other end, can expose the data (see Figure 1).
provides the right answer for any particular task Thus, it is obvious that Bluetooth encryption is not
or application. well suited for all applications which may exploit
The Bluetooth standard has been long criticized Bluetooth connections.
forvariousvulnerabilitiesandsecurity - Under inefficien
these circumstances and for certain
cies, as its designers are trying to balance between classes of security sensitive applications deployed
performance and complementary services includ- in Bluetooth PAN networks, the investigation of
ing security. So far, both the Bluetooth Special complementary and advanced security protocols
Interest Group (SIG) (Bluetooth SIG, 2003) and apart from Bluetooth’s native security mechanisms,
severalresearchershavemadesignificant - even if contribu
deployed as an interim countermeasure, is
tions on Bluetooth security aspects, discovering an interesting research issue. On the other hand, as
numerous vulnerabilities and potential weaknesses Bluetooth wireless technology is targeting devices
and proposing solutions (Adam, 2003; Gehrmann, with particular needs and constraints (e.g., process-
& Nyberg, 2002; Jacobson & Wetzel, 2001; Persson ing power and battery consumption) the trade-offs
& Manivannan, 2003; Shaked & Wool, 2005). For between security services and performance must be
example, the Bluetooth pairing procedure has been carefully considered. Furthermore, considering that
anticipated to be weak under certain circumstances. radio links in general suffer from limited bandwidth
Moreover, other categories of threats, either active and are unreliable by nature, performance issues
or passive, have also been investigated, including must be thoroughly investigated to make a decision
ad hoc security issues, malicious software like whether certain security protocols and their mecha-
“Cabir,” war-nibbling, and so forth. nisms are advantageous over Bluetooth connections,
An obvious choice for any Bluetooth application delivering robust and agile security services within
would be to use Bluetooth encryption provided at tolerable service response times.
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
During the last few years, several researchers Experiments shall employ both Bluetooth native
have examined various Bluetooth security param- security mechanisms as well as the two aforemen-
eters and some of them do explore performance tioned protocols. Through a plethora of scenarios,
parameters (e.g., Chakraborty, 2000; De Morais utilizing both laptops and palmtops, we intend
Cordeiro, Sadok, & Agrawal, 2001; Francia, Kilaru, to offer a comprehensive in-depth comparative
Le Phuong, & Vashi, 2004; Golmie & Rebala, 2003; analysis of each of the aforementioned security
Howitt, 2002; Karnik & Kumar, 2000; Kitsos et mechanisms when deployed over Bluetooth com-
al., 2003; Lim et al., 2001; Miorandi, Caimi, & munication links.
Zanella, 2003; Wang, Arumugam, & Krishna, The rest of the chapter is structured as fol-
2002). However, to the best of our knowledge, none lows. The next section gives an overview of our
of these works focus on performance evaluation experimental test-bed related parameters and
comparing Bluetooth’s native security mechanisms procedures, while the third section presents the
with well-respected, strong security protocols like derived performance measurement results. The
IPsec and SSH. forth section offers an analytical discussion over
The chapter will focus on the performance of the conducted results. The chapter finishes wit
existing protocols and mechanisms rather than on some concluding thoughts and future directions
security itself, estimating the performance of both of this work.
the built-in Bluetooth security mechanisms, namely
security modes, and two other standard security
protocols operating at different layers of the TCP/IP ExPErIMEntAl frAMEwork
protocol suite, namely SSH and IPsec. Protocols dEscrIPtIon
likeSSHandIPsecproviderobust,exible, fl costless,
and easy to implement solutions for exchanging The experimental topology consists of two pairs
data over insecure communication links. However, of machines. The first pair of Bluetooth devices
although their deployment is a well established and employs a laptop and a palmtop machine, while
accustomed practice in the wireline world, more the other consists of two similar laptop machines.
research effort is needed for wireless links, due to The members of each pair are located at 10 meters
the several aforementioned limitations. Depending apart and connected via Bluetooth adapters (or
on the scenario involved, the user may utilize SSH built in Bluetooth chip), thus forming a small two-
or IPsec security services, either individually or member wireless PAN (WPAN) or piconet. The
in combination with Bluetooth security modes, main components’ characteristics, both software
allowing applications to communicate securely, and hardware, are presented in Table 1. To estimate
constructing a secure tunnel. Thus, in a sense, the the performance of the Bluetooth network, the data
whole procedure can also be seen as the deployment were transmitted from one network node (server)
of small VPNs in Bluetooth PANs. Note however, to the other (client). Hence, in order to record the
thattheefficiencyoftheSSHandIPSecdepends incoming and outcoming packets between the cor-
mainly on the performance of the used end-system. responding network entities and to calculate the
On the contrary, Bluetooth security native modes network performance parameters we utilized on
utilize the hardware encryption of the Bluetooth the server side the well known network analyzer
chip, thus performance depends heavily on the “ethereal” (www.ethereal.com), version 0.10.12,
chip per se. This situation will allow us to make which in turn uses the “tcpdump” tool. In addi-
several observations about different layer security tion, for the Linux environment, we employed
mechanisms when deployed over dissimilar user theBlueZofficialLinuxBluetoothprotocolstac
devices. (www.bluez.org), which provides support for the
Specifically, the chapter will evaluate several
core Bluetooth layers and protocols.
personal area network (PAN) parameters, includ- Bluetooth supports three different security
ing transfer times, link capacity, and throughput. modes called security modes I, II, and III, but in
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
Palmtop Client
Model HPiPAQh540
Processor 400 MHz Intel XScale PXA250
RAM 64 MB
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
Figure 2. Average metric values for network parameters measured/Bluetooth Modes I and III
0.0
0.0
0.0 .
seconds
0.0
0.0
0.
0.0
Mode I
0.0
Mode III
.
0.0
. MB MB 0. MB MB
file size
0. 0.
.
. 0.0 0.
kbps
.
. .
. .0
.0
. .0
.
.
Mode I .0 .0 Mode I
. .
. Mode III Mode III
.
.0
.
. MB MB 0. MB MB
. MB MB 0. MB MB
file size
file size
0
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
decreased. Measurements were gathered during Moreover, encryption algorithms are applied
repeated FTP file transfers, between during the laptop
the transaction for mode III and as a result
server and the PDA client from the one hand and the overall transfer time is increased. We can also
between the laptop client and server from the other. perceivethatthelargerthefilesizeis,thelong
Each file was transferred twelve times the and only
TTdifference betweenmodeandmodeis
average values were recorded. In all scenarios, expected to be. This situation is also depicted in
the ping response times between client and server the respective plot of Figure 2. In general, these
were varying among 19.7 and 21.8msecs. Due measurements advocate that mode I utilizes the
to space limitations, in the following firstbetter
network three than mode III. Because of the
subsections we present only the analytical results volatile nature of the wireless link, we also report
derived from the laptop server/PDA client, which standard deviation (SD) for the measured values
is without doubt the most interesting one, while in Table 2.
some indicative corresponding comparisons with
the other laptop client–server pair is exhibited in secure shell (ssH) Evaluation
the subsection titled “Comparison Between PDA
and Laptop Clients.” Experimental procedures for the SSH mechanism
(IETF, 2006; OpenSSH, 2006) consider the transfer
bluetooth security Modes I and III ofthesamefourfiles,asbefore,betweentheclient
Evaluation and the server. Table 3 displays the average times
of all metrics used, while Table 4 presents the cor-
Measurements for testing Bluetooth modes I and responding standard deviation values.
IIIweregatheredbytransferringfourdifferent files
As we can notice, SSH gives highly increased
between each client–server pair. The files’times
transfer sizes when compared to Bluetooth secu-
were 5.26, 7.0, 10.5, and 15 Mbytes, respectively. rity modes. For instance, we can spot a difference
Figure 2 provides a graphical representation of of +12.6 seconds to +13.4 seconds for the small-
these values comparing TT times achieved in the est file depending on the cipher used. Moreover,
PDA client–laptop server piconet. As we can eas- it is more than obvious that all the ciphers used
ily notice, the results are generally as expected, are more or less of the same performance. This
but there are some interesting points which need is easily proven if we examine for example the
furtheranalysis.Atfirst,theTTmetric isslightly
achieved transfer rates in each case, which shown
higherformodeas , wellastheATRishigher forslight differences.
very
modeThis
. happensbecausemodeIIImandates Another interesting assumption that we can
authentication (handshake) at the beginning of each make is that as the size of the file increases, the
transaction. Keep in mind that the handshake time achieved transfer rate and the throughput become
is included in TT too. bigger. This happens because of the procedure of
the authentication which takes place during the ini-
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
tial SSH handshake. In any case it should be noted and the server. IPsec uses two mechanisms (proto-
that the improvement in the achieved transfer rates cols) that may be used independently or jointly to
always compared to Bluetooth security mode I and securetheoutcomingtraffic,namelyauthenticati
induced by SSH, are negative for any scenario. This header (AH) offering data origin, connectionless
means that Bluetooth’s native mechanisms offer
better bandwidth and network utilization at almost
all cases examined. This remark is confirmed Tableby 5.%ATRdeteriorationforSSH
the values given in Table 5. Bluetooth
3DES AES128 RC4 Blowfish
Size Mode I
IPsec Evaluation 5.26 618.0 -14.8 -15.0 -15.2 -15.3
7 620.2 -10.4 -10.4 -10.6 -10.9
The procedure for the IPsec protocol (Kent & 10.5 621.2 -6.3 -6.2 -6.4 -11.0
Atkinson, 1998a, 1998b) considers once again the 15 621.4 -2.9 -2.9 -3.3 -3.3
transfer of the same four files between the client
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
TableAverage
6. valuesfornetworkparametersmeasured(IPsec)
5.26 MB 7 MB
TT ATR THR TT ATR THR
(sec) (Kbps) (%) (sec) (Kbps) (%)
AH_MD5 72.8 683.4 94.5 100.0 682.8 94.4
AH_SHA1 72.8 683.2 94.5 99.9 683.0 94.5
ESP_DES_MD5 74.4 681.0 95.0 102.0 686.6 95.0
ESP_3DES_MD5 73.8 681.0 95.7 102.2 685.2 94.8
ESP_DES_SHA1 74.2 680.0 95.2 102.0 686.6 95.0
ESP_3DES_SHA1 74.2 681.0 95.2 101.8 688.2 95.2
10.5 MB 15 MB
AH_MD5 145.9 682.6 94.4 205.2 683.4 94.5
AH_SHA1 145.7 683.4 94.5 205.1 683.8 94.6
ESP_DES_MD5 148.6 688.2 95.2 208.9 688.8 95.3
ESP_3DES_MD5 148.6 687.8 95.1 209.1 688.0 95.2
ESP_DES_SHA1 148.5 688.4 95.2 209.2 688.0 95.2
ESP_3DES_SHA1 148.6 688.0 95.2 210.5 683.6 94.6
data integrity, and optionally replay protection, vices. Note however that MD5 is not considered
and encapsulating security payload (ESP) offering secure anymore and is reported here for the sake of
confidentialityandprotectionagainst - trafficanaly
completeness. In total, we deployed six scenarios
sis. In our scenarios we utilized both mechanisms, as shown in Table 6.
using the MD5 and SHA1 algorithms for integrity First and foremost, all network metrics for IPsec
andDESandDES 3 tosupportconfidentiality - areser
remarkably concentrated. Standard deviation
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
TableATR
8.% improvementforIPsec
AH_ ESP_DES_ ESP_3DES_
File Bluetooth
MD5 SHA1 MD5 SHA1 MD5 SHA1
Size Mode_I
5.26 618.0 10.6 10.6 11.1 11.4 11.9 11.4
7 620.2 10.1 10.1 10.7 10.7 11.5 11.0
10.5 621.2 9.9 10.0 10.8 10.8 10.7 10.8
15 621.4 10.0 10.0 10.8 10.7 10.7 10.0
Figure 3. Comparison of network transfer times between Laptop and PDA clients
ssH transfer tim e (7 Mb) IPsec transfer tim e (7 Mb)
.0 0.
0.
. . 0.0
.0 0.0
. 0.0
. 0.
.0 0.
0.
seconds
0.
0.0
seconds
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
TT times remain very close to those of Bluetooth bits is encoded into a 15 bit codeword, and is capable
securitymodes.Thesamesituationisof confirmed
correcting single bit error in each block. Table
by the minimum standard deviation values that 9 shows the different ACL packet types and their
characterize the IPsec case. Also in this case, SSH properties. The values in the table are theoretical
gives the worst performance compared with IPsec without packet overhead. For example, over an
and Bluetooth native security modes. ACL link using DH5, one can send about 300 to
320 kbit/s of UDP user data, while the theoretical
limit is 433.9 kbit/s.
coMMEnts on tHE rEsults This means that in order to overcome the effect
of low and varying link quality on throughput,
This section provides a comparative view of the the selection of the optimal link layer packet size,
conducted results. Also, we attempt to provide a under estimated channel conditions, is crucial.
better explanation of the experiment outcomes. Indeed some research work (Chen, Kapoor, Sana-
But before that we must shortly discuss important didi, & Gerla, 2004) points this out by evaluating
characteristics of Bluetooth connections that may the “optimal” link layer packet size based on the
affect the performance of the connection. Bluetooth current bit error rate of the channel. Moreover, in
employs frequency hopping spread spectrum regions that Wi-Fi networks coexist with Bluetooth
(FHSS) to avoid interference. There are 79-23 in and because Wi-Fi and Bluetooth utilize spectrum
some countries-hopping frequencies, each having in different ways, they can cause considerable
a bandwidth of 1MHz. Frequency hopping is as- interference between each other (depending on
sisted with fast automatic repeat request ARQ)
( ,
the relative location of the 802.11b and Bluetooth
cyclic redundancy check (CRC), and forward error devices) (Yip & Kwok, 2004). By transmitting at
correction (FEC) to achieve high reliability on the the highest power level, Bluetooth class 1 devices
wireless links. All the data/control packet transmis- would create more interference than Bluetooth’s
sions are synchronized by the master. Slave units class 2 and class 3 devices, which transmit at
can only send in the slave-to-master slot after being lower power levels. Furthermore, because each
addressed in the preceding master-to-slave slot, Bluetooth PAN will occupy the entire ISM band,
with each slot lasting 625 microseconds. two or more coexisting Bluetooth PANs will oc-
For real-time data such as video, synchronous casionally collide, possibly causing loss of data
connection oriented (SCO) links are used, while packets. Of course, apart from implementation
for data transmission, asynchronous connectionless issues (e.g., protocol stacks), the aforementioned
link (ACL) links are employed. There are several parameters are closely related and can affect real
ACL packet types, differing in packet length and Bluetooth connections and the results gathered
whether they are FEC coded or not. The FEC cod- in this chapter. For instance, all experiments
ing scheme used in ACL DM mode is a shortened were conducted inside the coverage area of the
Hamming code, where each block of 10 information University’s hot-spot.
Table9.PackettypesforBluetoothACLConnections(theoreticalvalues)
Mode FEC Packet (bytes) Size (kbps) Symmetric (kbps) Asymmetric (kbps)
DM1 2/3 0-17 108.8 108.8 108.8
DM3 2/3 0-121 258.1 387.2 54.4
DM5 2/3 0-227 286.7 477.8 36.3
DH1 no 0-27 172.8 172.8 172.8
DH3 no 0-183 390.4 585.6 86.4
DH5 no 0-339 433.9 723.2 57.6
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
0
ESP_DES_SHA
rying about. According to some other works (e.g.,
0
0
FreeSwan, 2002) utilizing low-end machines, a
0 60 MHz Pentium running a host-to-host tunnel
0
00
to another machine shows an FTP throughput of
0 slightly over 5 Mbit/s either way. Thereafter, we
0 file sizes
0 can conclude that in our case the IPsec mechanisms
. MB MB 0. MB MB running on “relatively” low-end processors is not
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
really a bottleneck. The overall performance is protocol overhead induced. These screens illustrate
rather affected most by the quality of the Bluetooth the overall network statistics for Bluetooth mode III
link itself, meaning that due to better utilization of and IPsec AH_MD5, respectively. The “Data” sec-
the link and possibly due to optimal ACL scheme tion corresponds to the overall percent of data that
and lower packet drop rate, IPsec performs slightly were sent from the server towards the PDA client
better than native Bluetooth modes do. forthe6MB 2. 5 file.WeobservethatIPsecneeds
In Figure 6, we present some indicative ethereal considerably lower percent of TCP data packets to
screens that attest why in practice IPsec performs complete the transaction (49.63%) than Bluetooth
better from the other two in terms of the additional mode III which requires 66.24%. Note, that exclud-
ing ARP messages, the remaining percent corre-
sponds to control information sent from the client
Figure 5. Comparison of networkthroughputfor
to the server including ACKs, retransmissions, and
six different scenarios (PDA client)
so forth. Therefore, IPsec utilizes the link better,
Comparison of Throughput for different scenarios achieving higher performance.
Another important factor that may affect the
conducted results is the operating system itself. For
that we performed partial measurements using the
0
Windows XP operating system in the laptop client,
while keeping all the other test-bed parameters
unchanged. Under this setting, we observed sig-
Percentage (%)
nificantlylesserpacketretransmissionsandlog
fairly better times. For example, for Bluetooth mode
IIIandfilesizeMB 5. 0 1 wegotanaveragetransfer
0
MODE I time of 150 seconds, namely 5 seconds better than
MODE III
DES
Linux. One can presume that the Bluetooth stack
Blowf ish is better implemented in Windows than in Linux or
AH_SHA
ESP_DES_SHA
the Bluetooth adapters that we used perform better
. MB MB file sizes 0. MB MB
under Windows, perhaps due to their drivers’ imple-
mentation. Nevertheless, a detailed analysis of this
Figure6.Etherealscreenswithprotocolhierarchystatistics(PDAclient)
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
This chapter addresses performance issues for De Morais Cordeiro, C., Sadok, D., & Agrawal, D.
Bluetooth host-to-host connections. Three distinct P. (2001). Modeling and evaluation of Bluetooth
categories of scenarios were used to test whether MAC protocol. In Proceedings of Tenth Interna-
well respected security mechanisms of Internet tional Conference on Computer Communications
and application layers of the TCP/IP suite are ad- and Networks (pp. 518-522).
vantageous when deployed over Bluetooth PANs Francia, G., Kilaru, A., Le Phuong, & Vashi, M.
compared to Bluetooth native security modes. The (2004). An empirical study of Bluetooth perfor-
results disclose that IPsec better utilizes the wireless mance. In Proceedings of the 2nd Annual Confer-
link and thus provides radically improved transfer ence on Mid-South College Computing, ACM
times when compared with SSH. Native Bluetooth International Conference Proceeding Series (Vol.
modes service times are close to those of IPsec’s 61, pp. 81-93).
thus significantly better from SSH ones. On the
other hand, there is an important disadvantage FreeSwan. (2002). Performance of FreeSwan.
which is the high amount of the memory resources Retrieved October 14, 2007, from http://www.
IPsec consumes. freeswan.org/freeswan_trees/ freeswan-1.95/doc/
As future work we would like to expand this performance.html
study, investigating the performance of asymmetric Gehrmann, C., & Nyberg, K. (2002). Enhancements
cryptography mechanisms, for example, public key to Bluetooth baseband security. Ericsson Mobile
certificates,andtosupportauthentication services
Communcations in
AB, Ericsson Research.
the context of such protocols that promote automatic
keying. Another direction is to detect how much Gehrmann, C., Persson, J., & Smeets, B. (2004).
energy is required for this sort of secure connec- Bluetooth security. Artech House Publishers.
tions, as mobile devices can not afford batteries
Golmie, N., & Rebala, O. (2003). Techniques to im-
with unlimited capacity.
prove the performance of TCP in a mixed Bluetooth
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
and WLAN environment. In Proceedings of IEEE OpenSSH. (2006). OpenSSH project home page.
International Conference on Communications, Retrieved October 14, 2007, from http://www.
ICC, Anchorage, AK, (pp. 1181-1185). openssh.org
Howitt, I. (2002). Bluetooth performance in the Persson, K., & Manivannan, D. (2003). Secure con-
presence of 802.11b WLAN. IEEE Transactions nections in Bluetooth scatternets. In Proceedings of
onVehicularTechnology, 15
(6), 1640-1651. the63 th Annual Hawaii International Conference
on System Sciences (HICSS ‘03) (p. 314b).
IEEE. (2002). Wireless PAN medium access control
MACandphysicallayerPHYspecification. IEEE Shaked, Y., & Wool, A. (2005). Cracking the Blue-
standard.5 1 2.80 New York: IEEE. Retrieved Oc- tooth PIN. In Proceedings of the 3rd ACM Interna-
tober 14, 2007, from http://www.ieee802.org/15/ tional Conference on Mobile Systems, Applications,
and Services (pp. 39-50). ACM Press.
IETF. (2006). IETF secure shell (secsh) working
group. Retrieved October 14, 2007, from http:// Wang, F., Arumugam, N., & Krishna, G. H. (2002).
tools.ietf.org/wg/secsh/ Performance of a Bluetooth piconet in the presence
of IEEE 802.11 WLANs. In Proceedings of the
Jacobson, M., & Wetzel, S. (2001). Security weak-
13th IEEE International Symposium on Personal,
nesses in Bluetooth. In Proceedings of the Confer-
Indoor and Mobile Radio Communications (Vol.
ence on Topics in Cryptology: The Cryptographer’s
4, pp. 1742-1746).
track at RSA (LNCS 2020, pp. 176-191).
Yip, H. K., & Kwok, Y-K. (2004). A performance
Karnik, A., & Kumar, A., (2000). Performance
study of packet scheduling algorithms for coordi-
analysis of the Bluetooth physical layer. In Proceed-
nating colocated Bluetooth and IEEE 802.11b in
ings of IEEE International Conference on Personal
a Linux machine. In Proceedings of the 7th Inter-
Wireless Communications (pp. 70-74).
national Symposium on Parallel Architectures,
Kent, S., & Atkinson, R. (1998a). IP authentication Algorithms and Networks (ISPAN’04).
header (AH) (IETF RFC 2402).
Yujin, L., Jesung, K., Sang, L. M., & Joong, S. M.
Kent, S., & Atkinson, R. (1998b). IP encapsulating (2001). Performance evaluation of the Bluetooth-
security payload (ESP) (IETF RFC 2406). based public Internet access point. In Proceedings
ofthe5 1th International Conference on Information
Massey, J., Khachatrian, G., & Kuregian, M. (1998). Networking (pp. 643-648).
Nomination of SAFER+ as candidate algorithm for
the advanced encryption standard (AES). In Pro-
ceedings of the1st Advanced Encryption Standard
Candidate Conference. Retrieved October 14, 2007, kEy tErMs
from www.ee.princeton.edu/ ~rblee/safer+
Bluetooth: An industrial specification for
Miorandi, D., Caimi, C., & Zanella, A. (2003).
wireless personal area networks (PANs). Bluetooth
Performance characterization of a Bluetooth pi-
provides a way to connect and exchange infor-
conet with multi-slot packets. In Proceedings of
mation between devices such as mobile phones,
the WiOpt’ 03.
laptops, PCs, printers, digital cameras, and video
Misic, J., Chan, K. L., & Misic, V. B. (2005). TCP game consoles via a secure, globally unlicensed
trafficinBluetooth:Performance .2 1 and
- dimen
short-range radio frequency.
sioningofow fl control. In
Proceedings of WCNC
Goodput: The application level throughput,
’05 (pp. 1798-1804).
that is, the number of useful bits per unit of time
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
forwarded by the network from a certain source and IP header integrity (with some cryptography
address to a certain destination, excluding protocol algorithm also nonrepudiation). On the other hand,
overhead retransmissions, and so forth. the encapsulating security payload (ESP) protocol
provides data confidentiality, payload message) (
IEEE 802.15: The IEEE 802.15 WPAN working
integrity, and with some cryptography algorithm
group focuses on the development of consensus
also authentication.
standards for personal area networks or short dis-
tance wireless networks. These WPANs address Network Performance: The level of quality of
wireless networking of portable and mobile com- service of a telecommunications resource, protocol,
puting devices such as PCs, PDAs, peripherals, cell or product.
phones, pagers, and consumer electronics, allowing
Secure Shell or SSH: A set of standards and
these devices to communicate and interoperate with
an associated network protocol that allows estab-
one another. The IEEE Project 802.15.1 has derived
lishing a secure channel between a local and a
a wireless personal area network standard based on
remote computer. It uses public-key cryptography
theBluetoothv11Foundation . Specifications.
to authenticate the remote computer and to option-
IPsec: IPsec (IP security) is a suite of protocols ally allow the remote computer to authenticate the
for securing Internet protocol communications by user.SSHprovidesconfidentialityandintegrityof
encrypting and/or authenticating each IP packet data exchanged between the two computers using
in a data stream. IPsec also includes protocols for encryption and MACs.
cryptographic key establishment. There are two
Throughput: The amount of digital data per
modes of IPsec operation: transport mode and
time unit that are delivered to a certain terminal
tunnel mode. IPsec is implemented by a set of
in a network, from a network node, or from one
cryptographicprotocolsforsecuringpacketows. fl
node to another, for example, via a communica-
Specifically,the authentication header (AH) pro-
tion link.
tocol provides authentication, payload (message),
0
Routing Security in Wireless Sensor Networks
computation complexities are all relieved from the experiences of others goes unused, which
in this approach. However, communication decreasesefficiency.
overhead and behavior knowledge exchange Any reputation system in the context of MANET
is more complicated here. and WSN should, generally, exhibit three main
functions (Djenouri et al., 2005):
In literature, noncrypto approach is realized by
the adoption of reputation systems. A reputation • Monitoring: This function is responsible
systemisatypeofcooperativefilteringalgorithm for observing the activities of the nodes of
which attempts to determine ratings for a collection its interest set.
of entities that belong to the same community. Ev- • Rating: A node will rate its interest set nodes
ery entity rates other entities of interest based on a based on the node’s own observation (termed
given collection of opinions that those entities hold asfirsthandinformation)other , - nodes’obser
about each other (Michiardi & Molva, 2002). vations that are exchanged among themselves
Reputation systems have recently received (termed as second hand information), the
considerable attention in differenthistory fieldsofsuchthe observed node, and certain
as distributed artificial intelligence, economics,
threshold values.
evolutionary biology, and so forth. Most of the • Response: Once a node builds knowledge
concepts in reputation systems depend on social about others’ reputations, it should be able
networks analogy. As expected, reputation systems to decide upon different possible reactions
are complex in the sense that they do not have a it can take, like, avoiding bad nodes or even
single notion, but a single system will consist of punishing them.
multiple parts of notions. Thus, comparing reputa-
tion systems is, in fact, a very difficult problem. For secure routing problem in WSN, a reputation
All known trials on such problem were based on system can be a good solution for behavior-related
qualitative approach. The work proposed by Mui, problems. The efficiency of a proposed solution
Halberstadt, and Mohtashemi (2002) makes an will depend on:
attempt on comparing reputation systems quan-
titatively based on game theory. The authors, • The ability to monitor misbehavior events
thus, identify different notions of reputation correctly.
systems like, contextualization, personalization, • Usingagoodratingmodelthatcloselyreflects
individual and group reputation, and direct and the behavior of nodes.
indirect reputation. • Developing good routing algorithms and deci-
In the context of MANET and WSN (Bucheg- sion criteria that try to select the most trusted
ger & Boudec, 2003; Michiardi & Molva, 2002), routers and follow the least risky paths.
the reputation of a node is the amount of trust the
other nodes grant to it regarding its cooperation and In literature, there are reputation-based solu-
participation in forwarding packets. Hence, each tions proposed for MANET such as CONFIDANT
node keeps track of each other’s reputation accord- and CORE. The work, however, in WSN is not
ing to the behavior it observes, and the reputation heavily studied. When considering WSN, reputa-
information may be exchanged between nodes to tionsystemsbecomemorechallengingforthefirst
help each other to infer the accurate values. There two phases, that is, monitoring and rating. Good
isatrade-offbetweenefficiencyinusingavailable monitoring requires a sensor node to be always
information and robustness against misinforma- awake overhearing others’ packets which is an
tion. If ratings made by others are considered, the energy consuming operation. A possible approach
reputation system can be vulnerable to false accu- is to make the responsibility of monitoring for a
sations or false praise. However, if only one’s own specificsetofsensornodes.However,thisyields
experience is considered, the potential for learning a poor rating mechanism. Moreover, the rating
0
Routing Security in Wireless Sensor Networks
model should be able to mathematically track the • The routing decision is not to select the next
node behavior. Complex models may require a hop but to decide to participate in the trusted
heavy processing task and memory usages. Theses route.Asaresult,selfishbehavior - isnotad
resources are more in demand for data processing dressed well in SAR.
in the constrained WSN node.
In the following sections, we briefly describe TRANS: Proposed by Tanachaiwiwat, Dave,
some reputation-based solution designed for Bhindwale, and Helmy (2004), TRANS is a geo-
WSN. graphic routing protocol (GPSR-based) that pro-
vides security services using trust metric. It can
Reputation-Based Solutions be considered as a tight trust-based routing due to
its specific targets and assumptions. It basical
SAR: Security-aware routing (SAR) proposed targets a misbehavior model in which an attacker
by Naldurg, Yi, and Kravets (2001) is a protocol selectively participates in routing signaling and
derived from AODV and based on authentication control packets, but drops consistently queries
and a metric called the hierarchal trust values and data packets. The protocol also assumes static
metric. The hierarchal trust values metric governs sensor networks in which a tight mapping can
routing protocol behavior. This metric is embedded be done between the nodes’ identities and their
intocontrolpacketstoreflecttheminimum locations.trust
TRANS assumes a location-centric
value a router should have to be able to forward architecture that helps it in isolating misbehavior
the received packet. This value is determined by and establishing trust routing in sensor networks.
the sender. A node that receives any packet can As a result of that, the protocol assumes a certain
neither process it nor forward it unless it provides communication model in which a single or multiple
the required trust level present in the packet. sinks initiate communication requests with various
Moreover, this metric is also used as a criterion locations. During that phase, insecure locations are
to select routes when many routes satisfying the identified and blacklisted. The trust metric us
required trust value are available. to judge on location security is calculated based
There are some problems and limitations in on nodes’ experience among each other regard-
SAR: ing their identities, link availability, and packet
forwarding.
• The routing operation needs to encounter a There are some problems and limitations in
trusted route setup phase that is done using TRANS:
cryptographic authentication. This setup
contributes some initial delay and requires • In TRANS, the trust, in fact, is associated
some sophisticated crypto mechanisms. with locations rather than the nodes. The
• The trust metric used in SAR does not re- problem is that a location can be infected by a
ect
fl exactly nodes’ behavior; rather, single theynode. The detour, then, will be around
represent a “rank” that a node exhibits based a larger area rather than a single node.
on its identity and various security service • Nodes located in proximity of an infected
provision. Thus, a trusted node in SAR is a location might be also isolated. If not, they
node that has the appropriate rank that meets are also exposed to heavy routing duties that
the routing requirements. To rank a node is mayinduceselfishbehavior.
another problem by itself that is not addressed • TRANS is limited by single or multiple sink
very well. communication models. This assumption is
• The routing decision rules in SAR are gov- necessary for the efficient operation of the
erned by the source, which makes the protocol protocol.
lessexible.
fl • TRANS discusses approaches to decrease
energy consumption due to the security
0
Routing Security in Wireless Sensor Networks
• The protocol has no provision for energy • The monitoring mechanism uses a normal
efficiency. watchdog mechanism that assumes a promis-
• The protocol totally relies on trust-based cuous mode operation for every node. This is
forwarding. If a node is completely sur- not suitable for the WSN conditions in terms
rounded by misbehaving nodes, there is no of energy scarcity as discussed earlier.
other mechanism proposed to select a next • The system does not show a practical solu-
hop since all nodes will be eliminated from tion implementation of monitoring and rating
the node’s forwarding list. phases. From an implementation point of
• RGR is a multipath trust-based routing. view, the study should provide an example
Although multipath is important for reliable of how monitoring and rating will be done
services, it is also believed that multipath under some application assumptions.
routing is energy consuming, which is a very • The work does not propose a response meth-
important issue to consider in WSN odology, for example, a routing algorithm.
Instead, it leaves it an open issue. Therefore,
Reputation-based framework for high integ- theworklacksperformancefiguresthatcan
rity sensor networks: Ganeriwal and Srivastava show the efficiency and security gain and
(2004) propose a reputation-based framework for benefits in routing operation that can be
sensor networks where nodes maintain a reputa- obtained in adopting this solution.
tion for other nodes and use it to evaluate their
trustworthiness. The authors tried to focus on an Reputation system-based solution for trust-
abstract view that provides a scalable, diverse, and aware routing: This work proposed by Maarouf
a generalized approach hoping to tackle all types and Naseer (2007) provides a reputation system-
of misbehaviors. They also designed a system based solution for trust aware routing as a main
within this framework and employed a Bayesian security concern in WSN. In contrast to similar
formulation, using a beta distribution model for existing solutions for ad hoc networks like CORE
reputation representation. (Michiardi & Molva, 2002) and CONFIDANT
In this system, monitoring mechanism follows (Buchegger & Boudec, 2003) or those for WSN like
the classic watchdog methodology in which a node RFSN (Josang & Ismail, 2002), this work proposes
0
Routing Security in Wireless Sensor Networks
solutions to focusing on satisfying WSN resources new contribution in CRATER is its mathematical
constraints and conditions, while maintaining the approach that is used to rate nodes based on what
security requirements. Thus, the solution proposes is called cautious assumptions, which are very
new mechanisms and approaches that are custom- true in most WSN. These assumptions basically
ized for WSN constraints. introduce the cases in which WSN nodes are very
The work adopts a modular design approach sensitive to hearing SHI and are concerned with
by which it treats every individual component as their immediate neighbors.
a separate problem and studies it in the lights of Moreover, the rating component is evaluated
WSN conditions adaptation and customization. The by a novel and promising mechanism proposed to
integrated reputation system is termed as senor evaluate different reputation systems. The evalu-
node attached reputation evaluator (SNARE) ation scheme is called reputation systems-inde-
(Maarouf & Naseer, 2006) which consists of pendent scale for trust on routing (RESISTOR).
three main components: monitoring component, RESISTOR is based on the analogy of the resistance
rating component, and response component. phenomenoninelectriccircuits.Itdefinesametri
For the monitoring part, the work proposes a called “resistance” to represent how much a node
newmonitoringstrategycalledefficient - monitor itsmaliciousneighborsbyfindingthe
isresisting
ing procedure in reputation system (EMPIRE) to ratio between the risk value for the malicious node,
solvetheproblemofefficientmonitoring whichinWSN.
is computed by the monitoring node using
EfficientmonitoringshouldguaranteeCRATER, asatisfying
andthenumberofpacketsowed fl into
level of capturing neighborhood activities, while that malicious node. Then, based on that figure,
trying to minimize power consumption, memory which is called the resistance figure, the system
usage, processing activities, communication performance is analyzed for evaluation.
overhead, and so forth. In this work, monitoring Finally, the response component of the reputa-
efficiency is realized by the association tionbetween
system suggests a new routing protocol that
the nodal monitoring activity (NMA) and various aims to provide a secure packet delivery service
performance measures. NMA is determined by guarantee by incorporating the behavior trust
the frequency of monitoring actions that a node concept into the routing decision. The proposed
takes to collect direct observation information. geographic, energy and trust aware routing (GE-
Reducing the frequency of monitoring, that is, TAR) protocol is an enhanced version of the GEAR
reducing NMA, will affect the quantity and/or protocol (Yu, Govindan, and Estrin 2001). GEAR
the quality of the obtained information. Thus, the is basically a geographic routing protocol in which
performance measures will be affected. However, the next hop is selected based on two metrics: the
on the other hand, this reduction implies a saving distance between the next hop and the destination
in node’s resources such as power, processing, and the remaining energy level the next hop owns.
and memory, which are the constraints that are The new contribution of this work is to add a third
faced in WSN. EMPIRE provides a probabilistic metric in the next-hop selection process, that is, the
approach to reduce nodal monitoring activities, risklevelofanodedefinedastheamountofrisk
while keeping the performance of the system, from the sender may encounter by selecting a particular
the behavior and trust awareness perspective, at a node as a next hop. The risk value a sender knows
desirable level. aboutanodereflectsthe“trustworthiness”tha
The rating component proposed in this work has towards that node.
is called cautious rating for trust enabled routing
CRATER)
( . Basically, this technique identifies
three rating factors: firsthandinformation(FHI) ,
futurE rEsEArcH dIrEctIons
second hand information SHI) ( , and a defined
period called neutral behavior period (NBP) dur- Recent research work focuses on energy-aware
ing which a node is not doing any activity. The design and efficient communication and net-
0
Routing Security in Wireless Sensor Networks
working within the WSN. On the physical layer order to look for anomalies, applications and typical
level, techniques for low-power hardware design, threat models must be understood. It is particularly
overcoming signal propagation, and optimized important for researchers and practitioners to un-
modulation schemes are of great interest. Another derstand how cooperating adversaries might attack
very important area of open research is the design the system. The promising approach for decentral-
ofenergy-awareandefficientmediumaccess - izedcon
intrusion detection is the use of secure groups.
trol protocol for enhanced WSN performance and More research is needed to determine better node
prolonged network lifetime. On the network level, featuresaddressingspecificvulnerabilitiesa
new integrated identity and behavior trust aware develop improved detection algorithms taking into
routing algorithms that are tailored for operation account sensor node capabilities.
given the limitations of the WSN are necessary. Novel techniques of network clustering that
Finally, at the application layer, protocols neces- maximize the network lifetime are also a hot area
sary for sensor management, task assignment and of research in WSNs (Bandyopadhya & Coyle,
data advertisement, and sensor query and data 2003). Since sensor nodes are prone to failure,
decimation are being developed. fault tolerance techniques come into the picture
Node mobility is an important issue to be con- to keep the network operating and performing its
sidered when developing secure routing protocols. tasks. Routing techniques that explicitly employ
Most of the current protocols assume that the faulttolerancetechniquesinanefficientmanner
senor nodes and the base stations are stationary. still under investigation (Dulman et al., 2003).
However, there might be situations such as battle Another area which needs extensive research
environments where the base station and possibly is the study of survivability issues in wireless
the sensors need to be mobile. In such cases, fre- sensor networks. Survivability of a system can be
quent update of the position of the base station and definedasthecapabilitytofulfillitsmission,ina
sensor nodes and propagation of that information timely manner, and in the presence of intrusions,
through the network and rekeying operation may attacks, accidents, and failures. A framework
excessively drain the energy of nodes. New secure of survivability model for WSN with software
routing algorithms are needed in order to handle rejuvenation methodology, which is applicable in
the overhead of mobility, rekeying, and topology security, has been proposed by (Kim, Shazzad,
changes in such an energy-constrained environ- and Park (2006).
ment. A feature that is important in every routing Most of the currently proposed key management
protocol is to adapt to topology changes very schemes are based on the assumption that all the
quickly and to maintain the network functions. nodes in the sensor networks are homogeneous
One aspect of sensor networks that complicates and with similar capabilities, such as memory and
the design of a secure routing protocol is in network radio range. It has been found that by applying
aggregation. In WSNs, in-network processing heterogeneous sensor nodes in a sensor network,
makes end-to-end security mechanisms harder the small percentage of more capable sensor
to deploy because intermediate nodes need direct nodes can provide an equal level of security, and
access to the contents of the messages. Finding meanwhile improve the resilience of node com-
efficientlyandoptimallytheprocessing points
promise. The inunbalanced scheme proposed by
WSNs is still an open research issue. Traynor, Choi, Cao, Zhu, and La Porta (2004) not
There are not many published work on the only reduces the number of transmissions neces-
general intrusion detection techniques for wireless sary to establish session-keys but also reduces the
sensor networks. There are some works on intru- effect of both single and multiple node captures.
siondetectiontargetedforspecifickind Anotherofattacks.
area which needs intensive research is the
Wireless sensor networks require a solution that is development of path-key establishment phase of
fully distributed and inexpensive in terms of com- key management scheme. Some special protocols
munication, energy, and memory requirements. In combined with routing information may be con-
Routing Security in Wireless Sensor Networks
sideredtoachievethesecureandefficient path-key
conclusIon
establishment. Furthermore, based on the current
research on the coverage and connectivity in the In this chapter, we have presented a comprehen-
sensor networks, some random distribution model sive treatment of the routing security problem in
(Bettstetter, 2002) should also be considered when wireless sensor networks. We have provided an
modeling a secure communication model in wire- overview of WSN architecture, possible applica-
less sensor networks. tions, and indicated the special characteristics of
An important area which needs extensive wireless sensor networks from routing perspective.
research is the development of efficient We havenodehighlighted the importance of secure
monitoring and rating approaches in reputation routing problem considering the different network
system-based solutions. Another problem which aspects and special conditions of WSN. We have
needs extensive research is a bootstrapping problem provided a detailed analysis of routing threats and
in sensor networks. This the startup period which attacksthataremorespecifictoroutingoperat
is required to build reputation and trust among in wireless sensor networks and also indicated pos-
nodes in a network in noncryptographic-based sible countermeasure against these attacks. We have
solutions and to discover shared keys and perform provided a comprehensive review and an in-depth
key-setup among sensor nodes in cryptographic- discussion of different intrusion prevention and de-
based solution. Minimizing this startup period to tection techniques, cryptographic-based solutions
prevent node compromise during bootstrapping (with emphasis on key management schemes), and
is an open issue. noncryptographic-based solutions (with emphasis
Public-key solutions built upon the pair- on trust and reputation of sensor nodes) for the
ing-based identity-based cryptography (IBC) is secure routing problem highlighting their pros and
emerging as an alternative (more appropriate than cons. We have also presented some open problems
traditional public key cryptography for WSNs) with that are currently being researched.
theefficienthardwareimplementation - ofTatepair
ing (Barreto, Lynn, & Scott, 2004) on smartcard
(Bertoni, Chen, Fragneto, Harrison, & Pelosi, rEfErEncEs
2005), PDAs (Scott, 2005), and FPGAs (Kerins,
Marnane, Popovici, & Barreto, 2005). AbuGhazaleh, N., Kang, K.D., & Liu, K. (2005,
Another issue which has triggered a growing October 10-13). Towards resilient geographic rout-
debate is on the use of symmetric-key vs. public- ing in WSNs. Paper presented at MSWiM’05.
key cryptography (PKC) in WSNs. How to modify
the public key cryptography and apply it to the key Agah, A., & Das, S.K. (2007, September). Pre-
management issues in resource-constrained WSNs venting DoS attacks in wireless sensor networks:
is a major challenge. Recent studies show that it A repeated game theory approach. International
is still possible to apply public key cryptography JournalofNetworkSecurity, 5
(2), 145-153.
to sensor networks by judiciously selecting right Agah, A., Das, S.K., & Basu, K. (2004). Intrusion
algorithms and associated parameters (Arazi, detection in sensor networks: A non-cooperative
Elhanany, Arazi, & Qi,; 05Gaubatz,
2 Kaps, & game approach. In Proceedings of the Third IEEE
Sunar, 2004). ECC (Malan, Welsh, & Smith, 2004) International Symposium on Network Computing
is especially attractive for constrained wireless and Applications (NCA’04).
devices because the smaller keys in ECC result in
memory, bandwidth, and computational savings. Al-Karaki, J. N., et al. (2004, April 18-21). Data
With the advancements of hardware and software, aggregation in wireless sensor networks: Exact
public key infrastructure in WSN is not only and approximate algorithms. In Proceedings of
possible but also necessary (Gura, Patel, Wander, IEEE Workshop on High Performance Switching
Eberle, & Shantz, 2004). and Routing, Phoenix.
Routing Security in Wireless Sensor Networks
Arazi,B.Elhanany,
, I.Arazi,
, O.Qi,
& , H..)052 ( scheme in distributed sensor networks using at-
Revisiting public-key cryptography for wireless tack probabilities. Paper presented at the Global
sensor networks. Computer, 38(11), 103-105. Telecommunications Conference, GLOBECOM
‘05 (Vol. 2, pp. 5-). IEEE.
Bandoyopadhya, S., et al., (2006).Clustering
distributed data streams in peer-topeer environ- Da Silva, A.P.R., Martins, M.H.T., Rocha, B.P.S.,
ments. InformationSciences, (14),6 7 1 1952-1955.
Loureiro, A.A.F., Ruiz, L.B., & Wong, H.C. (2005,
Elsevier. October 13). Decentralized intrusion detection
in wireless sensor networks. Paper presented at
Bandyopadhya, S., & Coyle, E. (2003). An energy
Q2SWinet’0,Montreal,
5 Quebec,Canada.
efficienthierarchicalclustering-algorithmforwire
less sensor networks. In Proceedings of INFOCOM Deng, J., Han, R., & Mishra, S. (2002, November).
2003 (Vol. 3, 1713-1723). INSENS: Intrusion-tolerant routing in wireless
sensor networks (Tech. Rep. CU-CS-939-02).
Bannerjee, S., Grosan, C., & Abraham, A. (2005).
University of Colorado, Department of Computer
IDEAS intrusion detection based on emotional ants.
Science.
Paper presented at the 5th International Conference
on Intelligent Systems Design and Applications Deng, J., Han, R., & Mishra, S. (2004). Intrusion
(ISDA ‘05) (pp. 344-349). tolerance and anti-traffic analysis strategies
wireless sensor networks. Paper presented at the
Barreto, P., Lynn, B., & Scott, M. (2004). On the
IEEE International Conference on Dependable
selection of pairing-friendly groups. In Proceeding
Systems & Networks (DSN) (pp. 594-603).
of Selected Areas Cryptography (LNCS 3006, pp.
17-25). New York: Springer Verlag. Di Pietro, R., Mancini, L.V., & Mei, A. (2003).
Random key-assignment for secure wireless sensor
Bertoni, G., Chen, L., Fragneto, P., Harrison, K.,
networks. In Proceedings of the 1st ACM Workshop
& Pelosi, G. (2005). Computing Tate pairing on
on Security of Ad Hoc and Sensor Networks, Fair-
smartcards (White paper STMicroelectronics).
fax, VA, (pp. 62-71).
Retrieved October 27, 2007, from http://www.
st.com/stonline/products/families/smartcard/ Di Pietro, R., Mancini, L.V., & Mei, A. (2006,
ast_ibe.htm December). Energy efficient node-to-node - au
thentication and communication confidential
Bettstetter, C. (2002). On the minimum node
in wireless sensor networks. Springer Journal on
degree and connectivity of a wireless multi-hop
Wireless Networking, 12(6), 709-721.
network. In Proceedings of the 3rd ACM Interna-
tional Symposium on Mobile Adhoc Networking Dolev, D., & Yao, A.C. (1983). On the security
and Computing’02, EPF Lausanne, Switzerland, of public-key protocols. IEEE Transactions on
(pp.80-91). ACM Press. InformationTheory, (2),92 198-208.
Buchegger, S., & Boudec, J.Y.L. (2003, July). A Du, W., Deng, J., Han Y.S., Chen, S., & Varshney,
robust reputation system for mobile ad-hoc net- P.K. (2004, March). A key management scheme for
works (Tech. Rep. IC/2003/50). EPFL IC. wireless sensor networks using deployment knowl-
edge. Paper presented at the IEEE INFOCOM.
Chan, H., Perrig, A., & Song, D. (2003, May
11-14). Random key predistribution schemes for Du, W., Fang, L., & Ning, P. (2005). LAD: Lo-
sensor networks. In Proceedings of the IEEE calization anomaly detection for wireless sensor
Symposium on Security and Privacy, Oakland, networks. Paper presented at the IPDPS.
CA, (pp.197-213).
Dulman, S., et al. (2003, March). Trade-off between
Chan, S., Poovendran, R., & Sun, M. (2005, trafficoverheadandreliabilityinmultipathrou
November 28-December 2). A key management
Routing Security in Wireless Sensor Networks
for wireless sensor networks. Paper presented at Jolly, G., Kuscu, M., Kokate, P., & Younis, M. (2003,
the WCNC Workshop, New Orleans. June). A low-energy key management protocol for
wireless sensor networks. In Proceedings of the
Eltoweissy, M., Heydaru, H., Morales, L., &
IEEE Symposium on Computers and Communica-
Sadborough, H. (2004, March). Combinatorial
tions, ISCC’2003 (p. 335).
optimization of key management in group com-
munications. Journal of Network and Systems Josang, A., & Ismail, R. (2002, June). The beta
Management: Special Issue on Network Security, reputation system. Paper presented at the 15th Bled
332. Electronic Commerce Conference, e-Reality: Con-
structing the e-Economy, Bled, Slovenia.
Eltoweissy, M., Moharrum, M., & Mukkamala, R.
(2006, April). Dynamic key managements in sen- Kaplantzis, S. (2004, October). Classification
sor networks. IEEE Communications Magazine, techniques for network intrusion detection (Tech.
122-130. Rep.). Monash University, ECSE.
Eschenauer, L., & Gligor, V.D. (2002). A key-man- Karlof, C., & Wagner, D. (2003). Secure routing
agement scheme for distributed sensor networks. in wireless sensor networks: Attacks and counter-
In Proceedings of the th
ACM9 Conference on measures. Ad Hoc Networks, 1(2-3), 293-315.
Computer and Communications Security (pp.
Kerins, T., Marnane, W., Popovici, E., & Barreto,
41-47). Washington D.C.: ACM Press.
P.,052August-
( September). Efficient hardware
Eskin, E., Arnold, A., Pereau, M., Portnoy, L., for the for Tate pairing calculation in charac-
& Stolfo, S. (2002). A geometric framework for teristic three. In Proceedings of Workshop on
unsupervised anomaly detection: Detecting intru- Cryptographic Hardware and Embedded Systems,
sion in unlabeled data. Data Mining for Security Edinburgh, Scotland, (pp. 412-426).
Applications. Kluwer.
Kim, D.S., Shazzad, K.M., & Park, J. S. (2006).
Ganeriwal, S., & Srivastava, M. (2004). Reputa- A framework for survivability model for wireless
tion-based framework for high integrity sensor sensor network. In Proceedings of First Interna-
networks. In Proceedings of the 2nd ACM Work- tional Conference on Availability, Reliability and
shop on Security of Ad Hoc and Sensor Networks, SecurityARES’0
( )6 .
Washington, D.C.
Loo, C.E., Ng, M.Y., Leckie, C., & Palaniswami,
Gaubatz, G., Kaps, J., & Sunar, B. (2004). Public M. (2006). Intrusion detection for sensor networks.
key cryptography in sensor networks: Revised. In International Journal of Distributed Sebsor Net-
Proceedings of 1st European Workshop on Security works.
in Ad-hoc and Sensor Networks (ESAS 2004),
Maarouf, I.K., & Naseer, A.R. (2007, May).
Heidelberg, Germany, (pp. 2-18). Springer.
WSNodeRater: An optimized reputation system
Gura, N., Patel, A., Wander, A., Eberle, H., & framework for security aware energy efficient
Shantz, S. C. (2004, April). Comparing elliptic geographic routing in WSNs. Paper presented at the
curve cryptography and RSA on 8-bit CPUs. In ACS/IEEE International Conference on Computer
Proceedings of CHES, Boston, (pp. 119-132). Systems and Applications, Amman, Jordan.
Han, J., & Kamber, M. (2001). Data mining: Malan, D. J., Welsh, M., & Smith, M.D. (2004,
Concepts and techniques. Morgan Kauffmann October). A public-key infrastructure for key
Publishers. distribution in tinyOS based on elliptic curve
cryptography. In Proceedings of IEEE SECON,
Hu, Y.C., Perrig, A., & Johnson, D. B. (2003,
Santa Clara, CA, (pp.71-80).
April). Packet leashes: A defense against wormhole
attacks in wireless networks. In Proceedings of Marouf, I.K., & Naseer, A.R. (2006, December).
IEEE INFOCOMM 2003. SNARE: Sensor node attached reputation evalua-
Routing Security in Wireless Sensor Networks
tor. Paper presented at the CONEXT ’06, LIsboa, Pottie, G., & Kaiser, W. (2000). Wireless integrated
Portugal. network sensors. Communications of the ACM,
43(5), 551-558.
Michiardi, P., & Molva, R. (2002, September).
Core: A collaborative reputation mechanism Rajasegarar, S., Leckie, C., Palaniswami, M., &
to enforce node cooperation in mobile ad hoc Bezdek, J.C. (2006, October 30-November 1).
networks. Paper presented Communication and Distributed anomaly detection in wireless sensor
Multimedia Security Conference, Portoroz, Slo- networks. In Proceedings of Tenth IEEE Interna-
venia, (pp. 26-27). tional Conference on Communications Systems
(IEEEICCS)026 , Singapore.
Mui, L., Halberstadt, A., & Mohtashemi, M. (2002,
July). Notions of reputation in multi-agents systems: Savvides, A., Han, C., & Srivastava, M. (2001,
A review. In Proceedings of First International July)Dynamic
. fine-grainedlocalizationinad-hoc
Joint Conference Autonomous Agents and Multi- networks of sensors. In Proceeding of 7th ACM
Agent Systems (pp. 280-287). MobiCom (pp. 166-179).
Mun, Y., & Shin, C. (2005, May 9-12). Secure Scott, M. (2005, February). Computing the Tate
routing in sensor networks: Security problem pairing. In Proceedings of Cryptographers’ Track
analysis and countermeasures. Paper presented at the RSA Conference, San Francisco, (pp. 293-
at the International Conference on Computational 304).
Science and Its Applications – ICCSA 2005, Sin-
Tanachaiwiwat, S., Dave, P., Bhindwale, R., &
gapore, (LNCS 3480, pp. 459-467). Heidelberg,
Helmy, A. (2004, April). Location-centric isola-
Germany: Springer Verlag.
tion of misbehavior and trust routing in energy-
Naldurg, S., Yi, R., & Kravets, R. (2001). Secu- constrained sensor networks.
rity-aware ad-hoc routing for wireless networks.
Traynor, P., Choi, H., Cao, G., Zhu, S., & La
Paper presented at the ACM Workshop on Mobile
Porta, T. F. (2004). Establishing pair-wise keys in
Ad Hoc Networks, MOBIHOC.
heterogeneous sensor networks (Networking and
Onat, I., & Miri, A. (2005, August). An intrusion Security Center, Tech. Rep. NAS-TR-0001-2004).
detection system for wireless sensor networks. Penn State University, Dept of Computer Science
Wireless and Mobile computing Networking and & Engineering.
Communications, 3, 253-259.
Wood, A., & Stankovic, J. (2002, October). Denial
Oniz, C.C., Tasci, S.E., Savas, E., Ercetin, O., of service in sensor networks. IEEE Computers,
& Levi, A. (2005). SeFER: Secure, flexible and 54-62.
efficient routing protocol for distributed sensor
Yang, C., Zhou, J., Zhang, W., & Wong, J. (2006,
networks. Paper presented at the IEEE 2005 (pp.
May 29- June 1). Pairwise key establishment for
246-255).
largescalesensornetworks:Fromidentifierbased
Perrig, A., Szewezyk, R., Wen, V., Culler, D., & to location based. In Proceedings of the first - In
Tygar, J. (2001). SPINS: Security protocols for sen- ternational Conference on Scalable Information
sor networks. In Proceedings of Mobile Networking Systems,INFOSCALE’06 , HongKong.
and Computing 2001.
Younis, M., Ghumman, K., & Eltoweissy, M.
Pirretti, M., Zhu, S., Narayanan, V., McDaniel, (2006). Location-aware combinatorial key manage-
P., Kandemir, M., & Brooks, R. (2005, October). ment for clustered sensor networks. IEEE Transac-
The sleep deprivation attack in sensor networks: tions on Parallel and Distributed Systems.
Analysis and methods of defense. Paper presented
Yu, Y., Govindan, R., & Estrin, D. (2001, May).
at the Conference on Innovations and Commercial
Geographical and energy-aware routing: A re-
Applications of Distributed Sensor Networks.
Routing Security in Wireless Sensor Networks
cursive data dissemination protocol for wireless key setup, node addition/rekeying, and node evic-
sensor networks (Tech. Rep. UCLA/CSD-TR-01- tion/key revocation.
0023). University of Southern California.
Reputation System: A type of collaborative
Zhang, Y., Liu, W., Lou, W., & Fang, Y. (2006, filteringalgorithm which attempts to determine
February). Location based compromise-tolerant ratings for a collection of entities, given a col-
security mechanisms for wireless sensor networks. lection of opinions that those entities hold about
IEEE Journal on Selected Areas in Communica- each other.
tions, 24(2).
Routing Attacks: Network layer attacks such
Zhu, S., Setia, S., & Jajodia, S. (2003). LEAP: asroutinginformationspoofing,alteration - orre
Efficient security mechanisms for large- play,scale
blackhole and selective forwarding attacks,
distributed sensor networks. In Proceedings of sinkhole attacks, Sybil attacks, wormhole attacks,
ACM CCS, 2003. HELLO ood
fl attacks, and acknowledgement
spoofing.
kEy tErMs Routing Security: Securing routing operation
from attacks in a network by deploying appropri-
DoS Attack: Any event that decreases or elimi- ate defense.
nates a network’s capacity to perform its expected
Trust: A relationship of reliance. Trust is a
function is termed as a denial-of-service attack or
prediction of reliance on an action, based on what
commonly known as DoS attack.
a node knows about the other node, in the context
Intrusion: Can be defined as a set of actions of wireless sensor networks. The notion of trust
that can lead to an unauthorized access or altera- is increasingly adopted to predict acceptance of
tion of a certain system. behaviors by others.
Key Management: A scheme to dynamically Wireless Sensor Network (WSN): A wire-
establish and maintain secure channels among less network consisting of spatially distributed
communicating nodes. In wireless sensor networks, autonomous devices using sensors to cooperatively
a key management scheme must deal with the monitor physical or environmental conditions, such
following important issues: key deployment/key as temperature, sound, vibration, pressure, motion,
predistribution, key discovery, key establishment/ or pollutants at different locations.
Chapter XXXVII
Localization Security in Wireless
Sensor Networks
Yawen Wei
Iowa State University, USA
Zhen Yu
Iowa State University, USA
Yong Guan
Iowa State University, USA
AbstrAct
Localization of sensor nodes is very important for many applications proposed for wireless sensor
networks (WSN), such as environment monitoring, geographical routing, and target tracking. Because
sensor networks may be deployed in hostile environments, localization approaches can be compromised
by many malicious attacks. The adversaries can broadcast corrupted location informa
jam or modify the transmitting signals between sensors to mislead them to obtain incorrect distance
measurements or nonexistent connectivity links. All these malicious attacks will cause sensors not able
to or wrongly estimate their locations. In this chapter, we summarize the threat models and provide a
comprehensivesurveyandtaxonomyofexistingsecurelocalizationandverification - sch
less sensor networks.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Localization Security in Wireless Sensor Networks
Localization Security in Wireless Sensor Networks
Table1.Classificationoflocalizationapproaches
Range-Based Range-Free
Anchor-Based Active Bat(c) (Harter et al., 1999) Active Badge(c) (Want et al., 1992)
RADAR(c) Centroid
(Bahl & Padmanabhan, 2000) (Bulusu et al., 2000)
AHLoS Cricket
(Savvides, Han, & Srivastava, 2001) (Priyantha et al., 2000)
LMS/KF (Smith et al., 2004) Convex(c)
SDP(c) (So & Yu, 2005) (Doherty et al., 2001)
DV-hop (Nicolescu & Nath, 2001)
DV-based AoA
(Nicolescu & Nath, 2003)
APIT (He et al., 2003)
Amorphous
(Nagpal, Shrobe, & Bachrach, 2003)
SeRLoc (Lazos & Poovendran, 2004)
Anchor-Free MDS-MAP(c) (Shang et al., 2003) MDS-MAP(c) (Shang et al., 2003)
Deployment Knowledge
(Fang, Du, & Ning, 2005)
Localization Security in Wireless Sensor Networks
countsfromsensorstoanchorsbyooding fl through
Attackers can compromise anchors or sensors
the sensor field, then estimates the and average hoplocation information. They can
send out false
distance and translates the hop-count distances jam the communications between sensors and
to real distances to determine sensors’ locations. replay the messages, which maes sensors wrongly
Amorphous (Nagpal et al., 2003) employs a similar estimatethetime-of-flightvalueandobtainwrong
strategy as DV-hop but estimates the average hop distance measurements. They can strengthen or
distance offline. Convex (Doherty et al., ) weaken 1 02 the signal strength, which also makes the
utilizes a linear programming (LP) method to sensors obtain wrong distance measurements.
solve the linear equations and obtain the optimal Finally, the attackers can use a wired link (called
solutions for the sensors’ locations. wormhole) to transmit messages received from
one location and broadcast at the other location,
Anchor-free range-based thus making sensors build nonexistent neighboring
Approaches connectivity, which results in wrong estimations
of the sensors’ locations.
There are relatively fewer anchor-free range-based We can classify the attackers into internal at-
localization approaches. One is MDS-MAP (Shang tackers and external attackers. An internal attacker
et al., 2003), which is based on multidimensional can compromise a sensor, obtain its key materials,
scaling technique to derive the locations of all and authenticate itself to others. An external at-
sensors. It can also work as a range-free approach tacker cannot obtain any cryptographic secrets or
when only using the connectivity information authenticate itself, but it can corrupt the physical
between sensors instead of the distance measure- features of the communications between sensors,
ments, which may cause some degradations of the for example, they can corrupt the distance mea-
localization performance. surements or neighboring connectivity by jamming
the communications between sensors. In Table 2,
Anchor-free range-free Approaches we list the threat models and the corresponding
attackers that can launch the threat models. We
MDS-MAP (Shang et al., 2003) is a centralized then describe them in more details in the follow-
anchor-free range-free localization approach. Be- ing subsections.
sides, Fang et al. (2005) proposed a decentralized
approach, which assumed that sensors are deployed fake location
in groups and the sensors in the same group can
land in different locations following a known prob- Fake locations information can be generated by
ability distribution. With this prior deployment the internal attackers who compromise sensors
knowledge, a sensor utilizes the observation of the and authenticate themselves as legitimate ones.
group memberships of its neighbors, and utilizes The impact of this attack is twofold. First, many
the maximum likelihood estimation method to location-based applications such as environment
determine its location. monitoring and target tracking will be fooled by
the wrong location of some specific events, for
example, high-temperature area and location of
tHrEAts to locAlIzAtIon an enemy tank. Second, other sensors’ locations
will be polluted if they refer to these fake locations
APProAcHEs
when localizing themselves.
Since sensor networks may be deployed in hostile
environments, the localization approaches are sub- wormhole
ject to many malicious attacks. In this section, we
classify and discuss the possible attacks launched WormholeattackwasfirstdiscussedbyHu,Perrig,
to the current localization approaches. and Johnson (2003). In the wormhole attack, the
0
Localization Security in Wireless Sensor Networks
Table2.Classificationofthreatmodels
Fake Location Wormhole Range Englargement Range Reduction
Internal Attackers X X X
External Attackers X X X
s’
R A2
s s” R
A1 C B
adversaries copy the messages heard at one loca- range Enlargement and reduction
tion and replay them at another location.
Figure 1 illustrates how a wormhole attack Therangemodificationattacksaredetrimental
can damage a sensor’s localization. As shown in range-based localization approaches.
the figure, sensor s can directly hear the beacon If) 1 ( atime-of-flightmethodisusedtoestimate
message of anchor A1, but not of anchor A2. To distance, external attackers can jam and replay the
attack the localization of s, an adversary establishes signal or transmit it through multipaths to prolong
a wormhole between position B and C, which are the transmitting time (range enlargement attack).
near A2 and s, respectively. Then, the adversary Or they can speed-up the signals to shorten the
records A2’s beacon message at position B, trans- transmitting time (range reduction attack). For
mits it through the wormhole tunnel, and replays it example, they transform the ultrasound signal into
at position C. If s determines its location only based radio frequency signal whose transmitting speed is
on A2’s beacon message, it may assume it is near faster, and transform the signal back to ultrasound
anchor A2 (at some location within the transmission and broadcast the signals at the end point. Inter-
region of A2). If it uses both messages of A1 and nal attackers can fully control the compromised
A2, it may either believe it is located somewhere sensors, thus they may hold on to the signal for a
between A1 and A2 (e.g., at location s’’) or it may short period of time before transmitting to launch
not be able to determine its location at all because a range enlargement attack. (2) If a signal strength
it is not expected to receive the beacon messages method is used to estimate distance, external
from two anchors so far away from each other. attacker can jam and strengthen or weaken the
In such a wormhole attack, the adversaries signal before replaying it; internal attackers can
do not need to compromise any sensor or anchor directly broadcast signals with strengthened or
to understand the meaning of the messages, they weakened signals.
just copy and transmit the messages through the
established wormhole tunnel to corrupt the local-
ization approaches.
Localization Security in Wireless Sensor Networks
TableA3. taxonomyofsecurelocalizationandlocationverificationschemes
Secure localization schemes Location verification schemes
Distance-bounding
Delicate Packet Leashes (Brands & Chaum, 1993)
hardware (Hu et al., 2003) Claim (Sastry, Shankar, & Wagner, 2003)
required Verifiable Multilateration(L)
(Capkun & Hubaux, 2005)
Covert Base-station Capkun, Cagalj, &
Srivastava, 2006)
Sector antenna Sectored antenna
required (Hu & Evans, 2003)
SeRLoc (Lazos & Poovendran,
2004)
MMSE-Outlier (Liu, Ning, & LAD(L)
No special Du, 2005) (Du, Fang, & Ning, 2005)
hardware LMS-Outlier PLV (Ekici, McNair, & Al-Abri, 2006)
required (Li, Trappe, Zhang, & Nath,
2005)
COTA (Wei, Yu, & Guan,
2006)
Localization Security in Wireless Sensor Networks
sage is sent from Zone j of the sender node, and i through wormholes because the communications
and j are not opposite to each other, we can detect are unreliable in reality and the messages may
that messages may be transmitted through some need to be retransmitted multiple times before the
wormholes. Besides this basic detecting method, receiver can actually receive them.
theauthorsproposeaverified-neighbor-discovery
protocol and a strict-neighbor-discovery protocol secure localization schemes Against
to detect the sophisticated wormholes. These All Attacks
protocols require some potentialverifier to nodes
help a sensor to distinguish legitimate neighbors All malicious attacks to localization including fake
from the wormhole ones. Thus the lack - of suffi
locations, wormholes,andrangemodificationshave
cientverifiernodeswillresultinthe lostof
a common somethey all provide inconsistent
feature:
legitimate connectivity links and degradation of location references, namely, the sending sensor’s
the localization performance. location and the measured distance between the
Lazos and Poovendran (2004) propose another sender and the receiver are inconsistent. There-
secure localization scheme called SeRLoc that also fore, some experts suggested using statistical
uses sectored antennas. An anchor transmits dif- outlier-removingmethodstofilteroutinconsist
ferent beacons at each antenna sector containing references.
the anchor’s location and the angles of the antenna Liu et al. (2005) take the mean square error
boundary lines. Each sensor determines its location (MSE) as an indicator of the degree of inconsistency
as the center of gravity of the overlapping region of among location references. They propose a greedy
all sectors it hears. During this localization process, algorithm that starts with the set of all location ref-
wormholes can be detected using two properties: erences, and each time considers the subsets with
the sector uniqueness property and the communi- one fewer reference and chooses one subset with
cation range violation property. If two sectors of the least MSE as the input to the next round, until
a single anchor are heard, or if two anchors heard the MSE value drops below a reasonable thresh-
by the sensor have a mutual distance greater than old. This scheme can effectively enhance sensors’
2R (R is the communication range), the sensor attack-resistant ability, but it launches relatively
can detect that it is under wormhole attacks. After high computation overheads on sensors. Another
detecting the wormhole, the sensor broadcasts a problem is that it requires benign references to be
randomnonceandidentifiestheclosest anchor,
the majority Li, all location references, and may
among
bythefirstreply,thentakesthecenter of gravity
not work well when corrupted location references
closest to Li as its estimated location. This tech- collude together and take a larger percentage (e.g.,
nique is named attach to closer locator algorithm around 50%) among all references.
(ACLA). One problem of ACLA is that innocent Instead of identifying and eliminating inconsis-
packets may sometimes arrive later than the ones tent references before localization, Li et al. (2005)
propose a scheme that lives with these inconsistent
references and estimates reasonable locations for
Figure 2. Detect wormholes using sector anten- sensors using least median of the squares (LMS)
nas technique. LMS is one of the most commonly used
robust fitting algorithms and can tolerate up
50% outliers among the total references. Since the
exact LMS solutions are computationally prohibi-
tive, the authors adopted an efficient alterna
technique(RousseeuwLeroy, & to
) 30 2 firstget
several candidate reference subsets, then choose
the one with the least median squares to estimate
a sensor’s location.
Localization Security in Wireless Sensor Networks
Both of the above schemes try to prevent sen- propose the echo protocol to verify if a device is
sors from wrongly localizing themselves, however, insidesomespecificregione. ( g.a
, roomor
- afoot
when a sensor fails to filter out theball inconsistent
stadium) to facilitate location-based access
references, its corrupted location would “pollute” control. Their protocol is very simple in that the
the localization of many downstream sensors and verifier node sends a packet containing a nonce
cascade through the entire sensor network. Wei, using RF and the device echoes the packet back
Yu, and Guan (2006) propose a scheme named using ultrasound. Then by checking the packet
COTAthatusesconfidencetagstoidentify spurious
transmission time and the processing delay, the
localizations of sensors. COTA consists of a tag verifiercanverifyifthedevicelocatesinsideth
generationprocessandareferencefiltering circleprocess.
regioncenteredattheverifier.
In the tag generation phase, two methods (the sta- IfRFtime-of-flightmethodcanbeusedto - mea
tistic indicator and the geographical indicator) can sure distance, distance-bounding protocol (Brands
be used to calculate the sensors’ confidence & Chaum, 1993) tags can upper bound the measured
based on the positions of their neighbors, distance distance from one device to another. The important
measurements, and the confidence tags of their
assumption of this protocol is that the device can
neighbors. In the reference filtering bound phase, itsbad
xor processing to a few nanoseconds
referencescanbefilteredoutbycomparing and the their verifier can measure time-with nanosec
confidencetagstotheabsoluteandrelative ond precision.metrics.
Based on this distance-bounding
COTA can effectively prevent the proliferation of protocol, Capkun and Hubaux (2005) propose a
locationerrorsinthesensorfield. location verification scheme for wireless sens
networksusingaverifiablemultilateration(VM
Location Verification Schemes technique. The rationale behind VM technique is
that when a sensor claims to locate somewhere
Although many secure localization schemes have within a triangle region formed by three veri-
been proposed to provide robust localization per- fiers, then its location can be verified only when
formance, they require special hardware or assume allthreedistancesfromthesensortotheveri
some limitations on the adversaries’ abilities, and are consistent with the calculated ones. The limita-
cannot guarantee that all sensors can calculate tions of the VM technique are the requirement of
correct location estimations. Moreover, a compro- delicate hardware to perform distance-bounding
mised sensor (internal attacker) can directly report protocol and the requirement of dense deployment
corrupted locations to the base station; meanwhile ofverifiers.
it provides a correct location to its neighbors and Lazos, Poovendran, and Capkun (2005) propose
cannot be detected. These corrupted locations asecurelocalizationandverificationsystemcall
can cause severe consequences to many location- ROPE, which combines the secure properties of
based applications. For example, wrong locations the verifiable multilateration technique Cap (
of enemy force will make the surveillance center & Hubaux, 2005) and SeRLoc (Lazos & Pooven-
not able to locate or track the real target, and thus dran, 2004).
thelocationverificationisanecessaryCapkun second-line et al. 026)( propose a verification
to defend against the adversaries. Note that some scheme using covert base stations. The covert
verification schemes can also be usedbase as secure
stations (CBS) are silent to the on-going
localization schemes if sensors’ locations have not communications and their positions are only
been determined, and we denote them by “(L)” known to the verification infrastructure. Upon
in Table 3. receiving location messages from a sensor, several
CBS cooperate (through wired links) and check
Verification Using Special Hardware if their location is consistent with the difference
of time-of-arrival to each CBS. Because sensors
Thelocationverificationproblem-wasdo first intro
not know the positions of CBS, their success
duced by Sastry et al. (2003), where the authors rate to achieve consistency through guessing is
Localization Security in Wireless Sensor Networks
very small. A mobile base station (MBS) can also estimate false hop counts from them to the anchor,
playtheroleofverifier,bysendingaverification resulting in a biased estimation of the average
request from one location, moving, and waiting for hop-distance.
the response at a different location. Therefore, at Anotherissueisthatcurrentlocationverifica
thetimeofperformingverification,asensor schemesdoes
either verify if a sensor exactly locates at
not know the positions of the MBS. its claimed location, or verify if it locates within
the anomaly degree of its true location. However,
Verification Without Special Hardware verificationregionscanbearbitraryandshouldb
relatedtothespecificapplication.Forexample,in
Unlike other verification schemes that use
a military some
surveillance application, the monitoring
special hardware, Du et al. (2005) propose a scheme center decides to project a missile at the location
that verifies sensors’ locations byreported checking by thethe
sensor who detects the enemy force,
consistency of the locations with the deployment thus it should determine a specific verificatio
knowledge. They assume that all sensors are de- region in which the detecting sensor should reside
ployed in groups (each group has a unique group to guarantee that the target can be destroyed.
ID) following a known probability distribution.
Asensor’slocationcanbeverifiedonlywhenits
neighborhood observation is consistent with that conclusIon
derived from the deployment knowledge. The
difference between this scheme and the previous In this chapter, we provide a taxonomy of the
works is that in this scheme, the sensors are veri- research efforts devoted to secure localization in
fiediftheirlocationsarewithinananomaly wirelessdegree
sensor networks. We classify them into
from their true locations, rather than exactly at the secure localization schemes that aim to provide
true locations. correct location estimations for sensors at the
Recently, Ekici et al. (2006) proposed proba- front-line, and location verification schemes th
bilisticalocationverification(PLV)algorithm aim to detect toabnormal locations of sensors at the
verify sensors’ locations in densely deployed sensor second-line, that is, after sensors’ locations have
networks. PLV explores the probabilistic relation been determined using any other (insecure or se-
between the number of hops a packet traverses to cure) localization approaches. We also classify the
reach a destination and the Euclidean distance be- security localization mechanisms on whether they
tweensourceanddestination.Thenthe verifier
require canhardware. Generally, localiza-
any special
determine plausibility (between 0 and 1) and create tion for sensor networks becomes more robust
a trust level for each sensor’s location claim. with the availability of more advanced hardware,
for example, sectored antennas, fast processing
hardware, or even nanosecond-precision clocks.
futurE trEnds If there is no such special hardware, other infor-
mation such as deployment knowledge is needed
Although various secure mechanisms have been to detect the inconsistent information injected by
proposed for localization in wireless sensor adversaries.
networks, there is still a large space for future
improvements.
First, very few works have been done to se- rEfErEncEs
cure range-free localization approaches which
deserve more research efforts. For example, in Bahl, P., & Padmanabhan, V. N. (2000). RADAR:
DV-hop approach, if the adversaries compromise An in-building RF-based user location and tracking
a single node and send out a false hop count, then system. Paper presented at the IEEE Conference on
all down-steaming nodes will be influenced Computerand Communications (INFOCOM).
Localization Security in Wireless Sensor Networks
Brands, S., & Chaum, D. (1993). Distance-bounding the Annual International Conference on Mobile
protocols. Theory and application of cryptographic Computing and Networking (ACM Mobicom).
techniques (pp. 344-359).
Hu, L., & Evans, D. (2003). Using directional anten-
Bulusu, N., Heidemann, J., & Estrin, D. (2000). nas to prevent wormhole attacks. In Proceedings of
GPS-less low cost outdoor localization for very the 11th Network and Distributed System Security
small devices. IEEE Personal Communications, Symposium (pp. 131-141).
7(5), 284.
Hu, Y., Perrig, A., & Johnson, D. (2003). Packet
Capkun, S., Cagalj, M., & Srivastava, M. (2006). leashes: A defense against wormhole attacks in
Secure localization with hidden and mobile base wireless ad hoc networks. Paper presented at the
stations. Paper presented at the IEEE Conference IEEE Conference on Computer Communications
on Computer Communications (INFOCOM). (INFOCOM).
Capkun, S., & Hubaux, J. (2005). Secure position- Lazos, L., & Poovendran, R. (2004). SeRLoc:
ing of wireless devices with application to sensor Secure range-independent localization for wire-
networks. Paper presented at the IEEE Conference less sensor networks. Paper presented at the ACM
on Computer Communications (INFOCOM). Workshop on Wireless Security.
Doherty, L., Pister, K. S., & Ghaoui, L. (2001). Lazos, L., Poovendran, R., & Capkun, S. (2005).
Convex position estimation in wireless sensor Rope: Robust position estimation in wireless sensor
networks. Paper presented at the IEEE Conference networks. Paper presented at the ACM/IEEE Infor-
on Computer Communications (INFOCOM). mation Processing in Sensor Networks (IPSN).
Du, W., Fang, L., & Ning, P. (2005). LAD: Lo- Li, Z., Trappe, W., Zhang, Y., & Nath, B. (2005).
calization anomaly detection for wireless sensor Robust statistical methods for securing wireless
networks. In Proceedings of IEEE International localization in sensor networks. Paper presented at
Parallel and Distributed Processing Symposium the ACM/IEEE Information Processing in Sensor
(IPDPS). Networks (IPSN).
Ekici, E., McNair, J., & Al-Abri, D. (2006). A Liu, D., Ning, P., & Du, W. (2005). Attack-resistant
probabilistic approach to locationlocation verification
estimationinin sensor networks. Paper pre-
wireless sensor networks. In Proceedings of IEEE sented at the ACM/IEEE Information Processing
International Conference on Communications in Sensor Networks (IPSN).
(ICC).
Nagpal, R., Shrobe, H., & Bachrach, J. (2003).
Fang, L., Du, W., & Ning, P. (2005). A beacon-less Organizing a global coordinate system from local
location discovery scheme for wireless sensor net- information on an ad hoc sensor network. Paper
works. Paper presented at the IEEE Conference on presented at the ACM/IEEE Information Process-
Computer Communications (INFOCOM). ing in Sensor Networks (IPSN).
Harter, A., Hopper, A., Steggles, P., Ward, A., Nicolescu, D., & Nath, B. (2001). Ad-hoc posi-
& Webster, P. (1999). The anatomy of a context- tioning systems (APS). Paper presented at the
aware application. Paper presented at the Annual IEEE Global Telecommunications Conference
International Conference on Mobile Computing (GLOBECOM).
and Networking (ACM Mobicom).
Nicolescu, D., & Nath, B. (2003). Ad hoc position-
He, T., Huang, C., Blum, B., Stankovic, J., & Abdel- ing system (APS) using AoA. Paper presented at the
zaher, T. (2003). Range-free localization schemes IEEE Conference on Computer Communications
in large scale sensor network. Paper presented at (INFOCOM).
Localization Security in Wireless Sensor Networks
Priyantha, N., Chakraborty, A., & Balakrishnan, sensor networks. In Proceedings of IEEE/ACM
H. (2000). The cricket location-support system. International Conference on Distributed Comput-
Paper presented at the Annual International Con- ing in Sensor Systems (DCOSS).
ference on Mobile Computing and Networking
(ACM Mobicom).
Rousseeuw, P., & Leroy, A. (2003). Robust regres- kEy tErMs
sion and outlier detection. John Wiley & Sons,
Inc. Anchors: Anchors are special sensors that
know their locations before localization through a
Sastry, N., Shankar, U., & Wagner, D. (2003).
GPS device equipped on them or through manual
Secure verification of location Paperclaims.
configurations.
presented at the ACM Workshop on Wireless
Security (WiSe). Localization: Localization in wireless sensor
networks is the process that all sensors obtain their
Savvides, A., Han, C.-C., & Srivastava, M. (2001).
relative or absolute locations, by themselves or by
Dynamicfine-grainedlocalizationin-ad-hocnet
network computing center.
works of sensors. Paper presented at the Annual
International Conference on Mobile Computing Location Verification:Locationverificationin
and Networking (ACM Mobicom). wireless sensor networks is the process that cor-
rectlyestimatedlocationsofsensorscanbeveri
Shang, Y., Ruml, W., Zhang, Y., & Fromherz,
and corrupted locations can be detected.
M. (2003). Localization from mere connectivity.
Paper presented at The ACM International Sym- Range-Based/Range-Free: A localization
posium on Mobile Ad Hoc Networking and Com- approach is range-based (or range-free) if it does
puting (MobiHoc). (or does not) use the measured distance between
sensors to estimation their locations.
Smith, A., Balakrishnan, H., Goraczko, M.,
& Priyantha, N. (2004). Tracking moving de- Secure Localization: Secure localization in
vices with the Cricket location system. Paper wireless sensor networks is the process that sen-
presented at the International Conference on sors can obtain their locations in the presence of
Mobile Systems, Applications, and Services malicious attacks.
(MobiSys).
Wireless Sensor Network (WSN): A wireless
So, A., & Yu, Y. (2005). Theory of semidefite sensor network (WSN) is a wireless network con-
programming for sensor network localization. sisting of autonomous devices that cooperatively
Paper presented at the ACM-SIAM Symposium monitor environmental conditions, such as tem-
on Discrete Algorithms (SODA). perature, sound, pollutants, and so forth.
Want, R., Hopper, A., Falcao, V., & Gibbons, J. Wormholes: Wormholes in wireless sensor
(1992). The active badge location system. ACM networks are nonexisting communication tunnels
Transactions on Information Systems, 10(1), 91- (usually wired links) created by adversaries. The
102. messages received at one end of a wormhole can
be transmitted through the tunnel, and broadcasted
Wei, Y., Yu, Z., & Guan, Y. (2006). COTA: A
at the other end.
robust multi-hop localization scheme in wireless
Chapter XXXVIII
Resilience Against False Data
Injection Attack in Wireless
Sensor Networks
Miao Ma
The Hong Kong University of Science and Technology, Hong Kong
AbstrAct
One of the severe security threats in wireless sensor network is false data injection attack, that is, the
compromised sensors forge the events that do not occur. To defend against false data injection attack,
sixen-routefilteringschemesinahomogeneoussensornetworkaredescribed.Furtherm
filteringschemeinaheterogeneoussensornetworkisalsopresented.We - findthatdepl
neous nodes in a sensor network is an attractive approach because of its potential to increase network
lifetime, reliability, and resiliency.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Resilience Against False Data Injection Attack in Wireless Sensor Networks
stored in the compromised nodes, and misuse them happens it can be detected by multiple sensors.
to launch insider attacks. Therefore, a nonresilient However, it is inefficient and also unnecessary
security protection scheme will exhibit a threshold for every sensor node to report their raw data to
breakdown problem. That is, the design is secure the sink node, because: (1) every data packet usu-
against t or less compromised nodes, but once ally needs to travel many hops (e.g., tens or event
more than t nodes are compromised the security longer) to reach the sink; (2) each sensor node is
design completely breaks down, where tisafixed often constrained by scarce resources in memory,
threshold. Since in reality nobody can prevent an computation, communication, and battery; and (3)
attacker from compromising more than t nodes, in many cases there is high redundancy in the raw
such a security protection solution cannot meet the data. Hence, raw data are often fused and aggre-
resilience requirement. Our expectation in terms gated locally, and only the aggregated information
of resilience is that, compromising t nodes in a is returned to the sink. In such a setting, certain
certain area can only enable an adversary to forge nodes in the sensor network will function as cluster
nonexistingeventsinthatspecificarea, headsrather
(CHs), tothan
collect the raw sensing data from
any other location at all. Put in other words, for an the sensors, process it locally, and return the ag-
attacker, the only way to generate a valid report on gregation report to the sink. Once the sink receives
a nonexisting event happening in a certain area is an event report, it may take action accordingly.
to compromise t nodes in that area. Unfortunately, the above event detection and
In this chapter, we overview several schemes reporting process can be seriously threatened by
that have been proposed to defend against compro- false data injection attacks. As we stated above,
mised nodes. We will show that several schemes sensors are usually deployed in unattended or
areonlyresilientagainstasmall,fixed number
even hostile of
environments, and an adversary may
compromised nodes with threshold breakdown capture or compromise sensor nodes. Once this
problems, while subsequent schemes partially happens, the compromised nodes can easily inject
and completely solve the threshold breakdown false data reports of nonexisting events. Even
problems. worse, when an adversary compromises more
The rest of this chapter is organized as follows. nodes and combines all the obtained secret keys,
In the next section, we introduce the background. the adversary can freely forge the event reports
Several en-route filtering schemes - inwhich
a homoge
not only “happen” at the locations where
neous sensor network are presented. Furthermore, the nodes are compromised, but also at arbitrary
asinkfilteringschemeinaheterogeneous locationssensor inthefield.Thesefabricatedreportsn
network is shown. Finally, the last section concludes only produce false alarms (and lead to false posi-
the chapter. tives), but also waste valuable network resources,
such as energy and bandwidth, when delivering the
forged reports to the base station. Therefore, it is
bAckground importanttodesignaneffectivefilteringschem
to defend against such attacks and minimize their
false data Injection Attacks impacts.
In this chapter, we consider the following threat
We consider a sensor network, which consist of model. The attacker may compromise multiple sen-
hundreds or thousands of low-cost sensors. Each sor nodes in the network, but cannot compromise
sensor senses and collects data from the environ- the sink. Once a sensor node is compromised,
ment. There is at least one base station (or sink), the attacker can obtain all secret keys, data, and
which is typically a resource-abundant computer codes stored in the sensor. Whenever more nodes
equippedwithsufficientcomputationare and storage the attacker can combine all the
compromised,
capabilities. We assume that the sensor nodes are secret keys that have obtained, and can also load a
deployed in a high density, so that once an event compromised node with the secret keys obtained
Resilience Against False Data Injection Attack in Wireless Sensor Networks
from other compromised nodes. We also assume metric secret keys, and the MAC is generated by
that the attacker cannot successfully compromise using one of the secret keys.
a node during the short deployment phase.
Besides report fabrication attack, there are En-Route Filtering
various other attacks in wireless sensor networks.
For example, a compromised node may simply not By using a suitable key assignment scheme, any
report an event that occurs (which leads to false intermediate node is able to verify the report with
negative), or a compromised node replays a legiti- certain probability or deterministically. Whenever
mate report, and so forth. However, these threats anintermediatenodereceivesareport,itfirstche
are addressed in other related work and not the whether the report carries m distinct MACs; it then
focus of this chapter. Instead, in this chapter we check if itself stores a same key with the sensing
overview several schemes that have been proposed node. If yes, it checks whether the carried MAC
to reduce false positive, that is, prevent an attacker is the same as the MAC it computes via its locally
from fabricating reports about events that do not stored key. It drops the report when any of these
occur. Two main design goals of these schemes checks fails. Otherwise (i.e., it does not have any
are summarized as follows: of the keys or the MACs are correct), it forwards
thereportsasusual.Noticethatthoughthefilte
1. Resilience against a large number of com- power of any single node is limited, the collec-
promised nodes: A good protection scheme is tive filtering power along the forwarding path is
expected to degrade gracefully as the number significant.Themorehopsaforgedreporttravels,
of compromised sensor increases, without the the higher chance it is dropped en-route.
threshold breakdown problem.
2. Adaptive to dynamic topology: The scheme Sink Verification
can deal with dynamic topology of sensor
networks and is scalable for large-scale sen- Theen-routefilteringperformedbythe - intermedi
sor networks. ate nodes may be probabilistic in nature, thus cannot
guarantee to detect and drop all forged reports.
En-route filtering framework The sink serves as the final guard in rejecting
any escaping ones. Because the sink knows all the
Statisticen-routefilteringmechanism keys,SEF)
( it(Ye,
can verify each MAC carried in a report.
Luo,Lu,Zhang,
& is
)024 thefirsteffortthatad - On the basis of the number of correct MACs each
dresses false data injection attacks in the presence report carries, the sink decides whether to accept
ofcompromisedsensors,whereanen-route thefiltering
event or not.
framework was originally proposed. The en-route Besides a SEF scheme, five more designs
filteringframeworkhasthreecomponents: includingreportinterleaved hop-by-hop authentication
generation using message authentication codes (IHA) (Zhu, Setia, Jajodia, & Ning, 2004), com-
(MACs),en-routefiltering,andsinkverification. mutative cipher-based en-route filtering CCEF) (
(Yang & Lu, 2004), location-based resilient security
Report Generation Using MACs (LBRS) (Yang, Ye, Yuan, Lu, & Arbaugh, 2005),
location-aware end-to-end data security (LEDS)
To generate a valid report, multiple (say m, where (Ren, Lou, & Zhang, 2006), and dynamic en-route
m > 1) nodes detect the event simultaneously and filtering(DEF)(YuGuan, & are
0 2 6) allspecific
agree on the content of the event report. To be instances within the above framework. Based on
forwarded by intermediate nodes and accepted by the above framework, these five proposals have
the sink, each valid report must carry m MACs; adopted different key management schemes, which
each MAC is generated by the sensing node that immediately lead to different resilience behavior of
detects the event. Each sensor stores a few sym- their designs. We will describe their methodologies
in details in the subsequent sections.
0
Resilience Against False Data Injection Attack in Wireless Sensor Networks
Resilience Against False Data Injection Attack in Wireless Sensor Networks
to the desired cluster head and a witness key in verify events claimed to happen in those cells.
plain-text to all forwarding nodes along the path, Each legitimate report carries m distinct MACs,
through a query message. A legitimate report is jointly generated by the detecting nodes using the
endorsed by a node MAC jointly generated by the keys bound to the event’s cell. When an intermedi-
detecting nodes using their node keys, and a ses- ate node receives a report, it retrieves the event’s
sion MAC generated by the source node using the location from the report and checks whether the
session key. Through the usage of a commutative location is in one of its verifiable cells. If so, it
cipher, a forwarding node can use the witness key checks whether it has one of the keys hose indices
to verify the session MAC, without knowing the are carried in the report. If it has such a key, it
session key, and drop the fabricated reports. The recomputes the MAC and compares to the carried
basestationfurther verifies
the node MAC in the one. If the two MACs do not match, the report is
report that it receives, and refreshes the session key dropped. Otherwise, it forwards the report. The
upon detection of compromised nodes. sink performs final verification on the received
reports. It knows all location-binding keys, thus
Features able to verify every MAC in the report.
Resilience Against False Data Injection Attack in Wireless Sensor Networks
Resilience Against False Data Injection Attack in Wireless Sensor Networks
report it has agreed. A CH collects raw sensing breakdown problem. Second, SFS is adaptive to
data from basic sensors, generates an aggregation the dynamic topology. Third, compared with all
report, and relays the report to the sink node. A the schemes in homogeneous sensor networks, SFS
sink node checks the validity of the carried MACs inheterogeneoussensornetworksismoreefficien
inanaggregationreportandfiltersout theforged
and scalable. Interested readers may refer works by
report. Ma (2006a, 2006b) for more details on resiliency
study and overhead evaluation.
Methodology
Resilience Against False Data Injection Attack in Wireless Sensor Networks
Yang, H., Ye, F., Yuan, Y., Lu, S., & Arbaugh, W. Compromised Nodes: Nodes on which an
(2005). Toward resilient security in wireless sensor attacker has gained control after network deploy-
networks. Paper presented at the ACM MobiHoc ment.
(pp. 34-45).
False Data Injection Attack: The type of
Ye, F., Luo, H., Lu, S., & Zhang, L. (2004). Sta- attack when the compromised sensors forge the
tistical en-route filtering of injected false
events that data
do not occur.
in sensor networks. Paper presented at the IEEE
Key Management: The process of managing
INFOCOM.
key materials (e.g., key generation, key distribu-
Yu, Z., & Guan, Y. (2006). A dynamic en-route tion, etc.) in a cryptosystem.
scheme for filtering false data injection - in wire
Message Authentication Code (MAC): It is
less sensor networks. Paper presented at the IEEE
a short piece of information used to authenticate
INFOCOM.
a message.
Zhu, S., Setia, S., & Jajodia, S, (2003). LEAP:
Threshold Breakdown Problem: We say a
Efficient security mechanisms for large-scale
security design has threshold breakdown problem if
distributed sensor networks. Paper presented at
the design is secure against t or less compromised
the ACM CCS.
nodes, but once more than t nodes are compromised
Zhu, S., Setia, S., Jajodia, S., & Ning, P. (2004). the security design completely breaks down, where
An interleaved hop-by-hop authentication scheme tisafixedthreshold.
for filtering of injected false data in sensor net-
Wireless Sensor Network (WSN): The wire-
works. Paper presented at the IEEE Symposium
less networks consisting of small sensors that
on Security and Privacy (S&P).
cooperatively monitor environmental conditions,
such as temperature, humidity, and so forth.
kEy tErMs
Chapter XXXIX
Survivability of Sensors with Key
and Trust Management
Jean-Marc Seigneur
University of Genev, Switzerland
Luminita Moraru
University of Genev, Switzerland
Olivier Powell
University of Patras, Greece
AbstrAct
Weiserenvisioned
(19) ubiquitouscomputingwithcomputingandcommunicatingentitieswo
the fabrics of every day life. This chapter deals with the survivability of ambient resource-constrained
wireless computing nodes, from fixed sensor network nodes to small devices carried ou
entities, for example, as part of a personal area network of a moving person. First, we review the assets
that need to be protected, especially the energy of these unplugged devices. There are also a number of
specificattacksthataredescribed,forexample,directphysicalattacks - arefacilitat
ing security perimeter. Finally, we survey the protection mechanisms that have been proposed with an
emphasis on cryptographic keying material and trust management.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Survivability of Sensors with Key and Trust Management
with enough energy for long term functioning be- bAckground AsPEcts of
cause it is assumed that they are unplugged from nodEs survIvAbIlIty
the main electrical power supply and can rarely
recharge themselves by this means. Any action Inthissection,wefirstdiscusswhatwemeanby
carried out by these entities depletes their energy. nodes survivability, their assets, and especially
In addition to being resource-constrained in terms their energy. Then, we focus on the routing as-
of energy, these entities are resource-constrained set, which is an important asset that enables the
in terms of memory and processing, which limit nodes to communicate beyond their own wireless
what they can do, especially when these entities communication range. It shows that the routing
are small, such as the sensors deployed in sensors has been initially engineered without attackers
networks. in mind, which is also the case for most of the
Usually, sensors are performing two important other enabling mechanisms and assets. However,
types of actions or tasks: they have to sense the there are a number of attacks that can be carried
environmentandtosendinformationout toon aspecific
these assets. We survey them at the end of
target entity, sometimes called sink. For example, the section.
the sink may be an Internet gateway that will
propagate the information for persistent storage node(s) survivability
and analysis. Security problems exist both when
messages are generated and when they are relayed. First, it is important to note we use the plural in
Working most of the time in an unattended envi- the heading of this section, nodes survivability,
ronment without tamper-proof hardware makes the because it emphasises that the scope of the node’s
sensors very vulnerable to attacks. mission may span more than one node. On one
Generally, mobile ad hoc networks (MANETs) hand, it may be a scenario where the survivabil-
are thought to be composed of nodes bigger than the ity of the node itself is more important than the
sensors of sensors networks. Also, whereas sensors survivability of the other nodes. For example, a
areconsideredafter ( theirdeployment) rather
user fixed
who carries a mobile phone in the mountains
concerning their location, MANETs imply that the may be selfish and would not bother forwarding
nodes move. If we assume that the MANET nodes the messages of other users as they are met on the
are also unplugged from the main power supply, way to the top of the mountain. The forwarding
the nodes have also limited energy. Another differ- of a message from another user would deplete
ence between sensors and MANET nodes is that the energy of the mobile phone and endanger the
instead of just having to sense and forward simple survivability of the device and its mission lifetime.
information, MANET nodes are expected to run On the other hand, the mission may be that the
much more complicated operations that surely majority of the nodes survive at the expense of
require more energy than simple tasks. In this thesurvivalofonespecificnode.Itisusuallythe
chapter, we consider all ad hoc networks where the case in sensors networks where the goal is to sense
wireless nodes are resource-constrained, especially and monitor a region thanks to the collaboration
in terms of energy. Thus, as introduced above, the of many nodes. If a part of the monitored region
nodesmaygofromthetinyfixeddeployedsensor is quite active, it is possible that the nodes in this
to the mobile unplugged mobile device. active region take over the work of another node,
In this chapter, we first survey thefor different
example, to forward the sensed information in
assetsoftheseentitiesandthendelve order tointo specific
maximise the lifetime of the monitoring
attacks on these assets. We present further two of the whole region. That type of scenario requires
main protection mechanisms: cryptographic keying that there is some sort of control on the nodes; an
material and evidence-based trust management. authority is needed to guarantee that the nodes will
Finally, we discuss future trends and draw our collaborate and follow the rules. For example, in a
conclusion. military environment, the nodes that are deployed
Survivability of Sensors with Key and Trust Management
Survivability of Sensors with Key and Trust Management
scattered to a target area. Sensor networks are often energy, the use of security mechanisms may also
dense networks. Not all the nodes are necessary require more storage space, for example, for the
to accomplish a specific request. One method to and may slow down the processes
keying material,
save energy is to put nodes to sleep in a manner due to the additional security steps, such as, en-
that does not interfere with the functionality of cryption, decryption, and signatures.
the network. In a sensor network the lifetime of Besides the above special assets, there are also
the network is more important than each sensor. morebasicsecurityassets,namely,the - confidenti
Thus, the protocols developed for sensor networks ality/privacy, integrity, and availability properties
consider the optimisation of network lifetime. of each node and their messages. When these basic
The topology of the network may be dynamic. assets are compromised, the other assets may be
Nodes may become temporary inactive to save more easily compromised.
their energy or they drain out of battery. At the The list below summarises the different assets
same time, new nodes may be deployed in the same that we have discussed in this section:
area. Energy is limited in the network. However,
the nodes may have to repeatedly communicate • Node-level assets:
with a base station on a hop-by-hop basis. To ° Node mission lifetime:
minimise the energy spent in the network, energy- Node energy
preserving secure routing protocols (surveyed in • Harvesting source
the following subsection) have been developed. • States and actions management
The communication patterns are concerned with Node tamper-proof and tamper-evi-
balancing energy consumption and preserving dence
network lifetime and purpose. Usually, the whole ° Node localisation
region needs to be covered by the nodes. The ° Nodemobilityin ( caseofnon-fixed - set
purpose of the network requires that the sensing tings)
coverage works for all localisations. At any loca- ° Node computing performance
tion, the nodes should be able to send the collected ° Node neighbours presence in interde-
data to the base station. Energy saving should not pendent settings
deteriorate the connectivity and the coverage of the ° Node communication:
network. An energy optimisation scheme should Ability
alsomaintaintheinitialcoverage.Energyefficient • Reception
schemes group sensors in different sets that are • Transmission
alternatively active (Cardei, 2005; Ramchurn, • Coverage range
Jennings, Sierra, & Godo, 2004). Confidentiality
Another solution is to enforce clustering algo- Integrity
rithms (Handy, 1995). An example of energy at Speed
the nodes level occurs with cluster-based sensors • Network of nodes-level assets:
network topology. In this case, energy efficient ° Network mission lifetime
routing protocols use hierarchical structures like ° Deployment of new nodes
clusters among the nodes forming the network. ° Nodes participation and trustworthi-
The nodes in the cluster only communicate with ness
the cluster head. The cluster head is the only one ° Network connectivity, performance and
to communicate with the other cluster heads and coverage
provides aggregation of data for the nodes form-
ing the cluster. the routing Asset case-study
The nodes that are not cluster head may receive
the information later. The responsiveness of the The nodes can use their wireless link to directly
node, concerning computation and communication, communicate with the other nodes in range. Some-
is also important. In addition to consuming more times the nodes can increase their transmission
Survivability of Sensors with Key and Trust Management
energy to reach farther nodes. However, as said In military MANETs, it is often assumed that the
above, communication tasks use a lot of energy; deployed nodes are controlled; it is a controlled
for example, if we assumes Friss’ (1946) free- environment where it is understandably supposed
space attenuation, the energy needed for wireless that nodes are not free to do whatever they can do.
transmission over a distance d is proportional to In open MANETs, where any user’s node can come
d square. Thus, the nodes may save energy by and go depending on the user’s will, the nodes
using other closer nodes to forward their message might not follow the rules and they challenge the
to farther nodes. In addition, if the nodes cannot correct functioning of these routing protocols.
increase their transmission energy to reach a Thus, the researchers had to revise their protocol
specific far-away node, the only remaining - solu (not to say restart from scratch) because
approach
tion is to use intermediate nodes to forward the all was working well under the assumption that
message. It is why routing algorithms have been the nodes do collaborate, but in open MANETs,
researched. In this subsection, we survey the where nodes are owned by free people, assuming
most well-known protocols that allow the that everyone collaborates is simply not realistic. In
nodes to exchange messages. We start by the 2001, the conclusion was that security in MANETs
MANET protocols and then the protocols said is particularly difficult due to their specificit
to be specific to sensor networks, which (Hubaux,are
Buttyán,Capkun,
& vulnerability
: ) 1 02
explicitly energy-aware. of channels and nodes (i.e., less physical security);
resource-constrained nodes; high probability
MANET Routing Protocols of absence of infrastructure; and dynamically
changing topologies and high uncertainty. An
Maltz (2001) depicts the history of MANETs. The interesting issue is the question of collaboration,
firstsignificantprojecttowardsMANETs iscalled
which is vital for some MANETs to stay up: the
the DARPA-sponsored military packet radio net- nodes are neither dependent nor independent but
work (PRNET) in 1972. Now, MANETs seem to interdependent.Iftoomanynodesaretooselfish,
be used on battlefields. The goal of researchers, the overall availability is endangered (Miranda &
like Maltz, was to outperform the performance Rodrigues, 2003).
of the military protocols. They reachedefficient
and good performance for routing in MANETs Sensors Network Protocols
with ad hoc on-demand distance vector routing
(AODV) (Perkins & Royer, 1999) or dynamic As mentioned above, in sensors networks, the de-
source routing (DSR) (Maltz, 2001). ployed nodes are usually supposed to collaborate.
Both AODV and DSR are reactive routing However, due to their small size and the assump-
protocols because they compute the route between tion that they can never be recharged, the MANET
two nodes only when the route is needed, that is, protocolsarenotsufficienttooptimisetheuse
‘on demand.’ In doing so, there are far fewer tasks the energy of the nodes. This is why other research-
to be carried out because all the routes do not have ers have researched new routing protocols with an
to be maintained all the time. It is very important emphasis on energy consumption optimisation.
from an energy point-of-view in mobile settings Energy-aware routing protocols explicitly take
where the nodes come and go very quickly and into account the energy consumption as a param-
where the routing information would need to be eter. This subsection surveys seven of these new
updated very often. However, neither AODV nor protocols that use one or several of these following
DSRintegratefurtherspecificmechanisms - energyto mi basic techniques:
saving
nimise the energy consumption along the route.
Another limitation comes from the fact that • Keeping short range transmissions
Maltz and colleagues designed their protocols with • Aggregating data
the same assumption as for military MANETs. • Buildingefficientpaths
0
Survivability of Sensors with Key and Trust Management
• Switching between sleep/awake states clustering technique: the ejecting nodes are cluster
• Efficientlycontrollingmulti-paths heads and the cluster members are nodes which
propagate towards the ejectors. The cluster heads
During the set-up phase of the minimum cost (and thus the clusters) are automatically updated
forwarding algorithm (MCFA) (Ye, Chen, Liu, & by the distributed algorithm.
Zhang, 2001), each node initiates its least cost to the The low-energy adaptive clustering hierarchy
sinkestimatedtobeataninfinitedistance. (LEACH)The sink1995) is a more well-known
(Handy,
broadcasts to its neighbours a setup message. Each distributed randomised cluster formation algo-
of the neighbours computes and updates its least rithm. Many more complicated and optimised
cost estimate to the sink and eventually broadcasts algorithms that exist in the literature have been
further to its own neighbours. When receiving a inspired by LEACH. LEACH is based on parti-
broadcast message, a node computes its new least- tioning the network into clusters. It features two
cost estimate. If it is lower than the current least distinct phases:
cost estimate, the node updates it and broadcasts
its new estimated least cost to its neighbours, and 1. Cluster formation: Cluster heads are self-
so on and so forth. In order to avoid collision as elected according to a very simple random
well as duplication of unnecessary message, that is, rule: each node decides to become a cluster
inordertooptimisetheooding fl involved,MCFA
head with probability p, where p depends on
introduces a back-off mechanism which is basically a threshold value. This threshold function is
a timeout before propagating the updated values dependent of parameters such as the remain-
of the estimated least cost. During the propaga- ing energy, the time elapsed since the network
tion phase, when a node needs to send a message started, and the number of times it has been a
to the sink, it broadcasts to its neighbours. When cluster head before. Thus, energy balancing
a node receives a message, it checks if it is on the ispossiblethroughthefine-tuning - ofthepa
least cost path, and if so, propagates the message rameters. Once self-elected, the cluster heads
further. Otherwise it just drops the message. advertise themselves to noncluster heads by
Gradient-based routing (GBR) (Schurgers & broadcasting an announcement message.
Srivastava, 2001) is somehow similar to MCFA. It Noncluster head nodes then decide to which
proposes to slide messages along a gradient towards cluster they will attach themselves. Basically,
the sink. GBR is a general scheme; it proposes a they attach themselves to the closest cluster
few gradients but it is open to other possible gradi- head, although closest could have different
ents. The gradient can be computed similarly as in meanings. Once the cluster head is aware of
MCFA, that is, using the back-off mechanism. If one all of its cluster members, it computes a time
wants to introduce the hop-count in the gradient, division multiple access (TDMA) scheme and
the hop-count is included in the gradient formula. assigns a time slot to each of the members
MIX (Powell, Jarry, Leone, & Rolim, 2006) is a of the cluster. The cluster members are only
variant of GBR that allows the node to eject a mes- allowed to transmit data to the cluster head
sage directly to the sink in case of high remaining during the time slot that they have been
energy on the current node compared to the energy assigned to. Hence, no message collision
remaining on its neighbours. In MIX, a sensor occurs.
can choose to eject a message when all its short- 2. Data propagation phase (once the clusters
range neighbours have lower energy than itself. To have been formed): Data are sent by the
eject means that the sensor increases the power of cluster members directly to their cluster
transmission to be able to reach the base station in head. The cluster head then aggregates the
one transmission. As said above, the energy spent data before sending them directly to the sink.
increases a lot, nonlinearly, with the distance. The Other protocols inspired by LEACH propose
ejection feature of MIX can be seen as a dynamic to run a more sophisticated algorithm than
Survivability of Sensors with Key and Trust Management
Survivability of Sensors with Key and Trust Management
with any nodes. We consider the cost of a physical consumption. The attack may be detected by the
attack as low because the nodes are assumed to owner because the battery is expected to have a
not have significant tamper resistance due
certain to the
lifetime. Ultimately, the measure of this
cost of such protection for devices that are sup- attack may be the report between the real and
posed to be affordable for large scale deployment the expected lifetime of the battery. It has been
(Pirretti, Zhu, Narayanan, McDaniel, Kandemir, reported that for mobile devices the report may
& Brooks, 2005). In a node capture/tampering at- be from one to two orders of magnitude (Pirretti
tack, an adversary has physical access to the node. et al., 2005). Martin et al. (2004) identify three
Current security solutions are evaluated by taking types of sleep deprivation attacks on mobile de-
into account the resistance of the network to nodes vices. In a service request power attack, a device
capture, that is, the number of nodes needed to be must repeatedly execute a network service on a
captured in order to corrupt the entire network. remote entity. Even if the service is not available,
Time is the factor used to evaluate the attacks that the process of authentication consumes time and
are in progress. energy. Another type of power attack may be
Another type of attack may especially target the to request the devices to repeatedly execute an
energy asset. That form of attack is usually called energy-hungry task. On mobile devices, power
the energy starvation attack. For example, Martin, attacks may be detected by scanning software
Hsiao, Ha, and Krishnaswami, (2004) depict a that compares the current energy consumption to
denial-of-service attack targeting battery powered normal energy consumption. On small sensors, it
devices. Its purpose is to drain out the battery of may be infeasible to run such scanning software.
the device, for example, by obliging the nodes to Other solutions analyse the energy consumption
consume more energy than necessary. In the case pattern because power attacks modify the energy
of mobile computing devices, the attack leads to consumption signature of the applications. Another
an inoperable device. It may only be temporary solution may be to define and impose an energy
for a mobile device but it is usually not the case limit for an application or a task.
in sensors networks where the nodes cannot be The nodes executing important tasks, like
recharged. In addition, the inoperability of several cluster heads, are perfect targets to initiate stronger
sensors can disrupt the functionality of an entire attacks over the other nodes in the cluster. These
network region. An energy starvation attack may attacks are prevented by preventing the misbe-
prevent the device from entering into its low power having nodes from becoming a cluster head. The
state, thus increasing the time while the device is solution evaluated by Pirretti et al. (2005) as the
active. This attack can be carried out in the case of best to prevent this type of attack is a hash-based
the use of energy saving schemes. As said above, cluster head selection. The cluster head does not
an energy saving scheme schedules for each node decide itself to be the next cluster head, but it is
an awake/sleeping cycle. In a sleep deprivation selected by random vote by the neighbours. This
attack a node is forced to remain in the awake attack can be categorised as topologically-inspired
state. We start by two types of energy starvation attack (Seigneur, 2005), where the knowledge of
attacks.Thefirsttypeisthesleep - deprivation
the topology of at the network of nodes is used to
tack that targets the communication subsystem and carry out more harmful attacks. This knowledge
prevents the sleep state. The second type called the can be extracted by standard attacks that are also
barrage attack is enforced by demanding energy possible in our settings.
intensive operations. A node receives successive The messages sent by the nodes can be captured
task requests. and read by attackers, which constitutes - a confi
Another possibility of increasing the energy dentialityattack.Aconfidentialityattackmaya
consumption is to increase the energy needed for be carried out to infer message provenance, route
executing a task. The measure of the success of analysis, and activity monitoring. In some sensors
the attack may be the increase in overall energy network scenarios, it is crucial that the location of
Survivability of Sensors with Key and Trust Management
the nodes that sensed the information is not known. they will be not forwarded at all. In a Sybil attack
For example, sensors network have been deployed (Douceur, 2002), a node uses multiple identities
to monitor the location of pandas in their natural without revealing that it owns these different iden-
habitat (Ozturk, Zhang, & Trappe, 2004). Due to tities. If some mechanisms in the network use the
the presence of hunters, source-location privacy is majority of votes in their decision making, a node
crucial. If we extend the scenario to the location with many identities can cheat during the voting
of people, we can really talk of source-location process by using more than one vote. For a routing
privacy attacks. The network topology can be protocol that use several paths to the destination, a
inferred from this information. More knowledge Sybil attack can advertise one path as several ones.
can help the attacker to carry out more harmful Additionally, a Sybil attack can be correlated with
attackstargetingspecificactive/low-sink energy
hole orzones
worm hole attacks.
ortrafficcontrol.Amongtheotherstandardattacks,
there are also the attacks that target the integrity
ofthemessagesaswellasofthetrafficor specific
ProtEctIon MEcHAnIsMs
zones. The messages may be change replayed,
delayed, or even destroyed. Different protection mechanisms have been pro-
As said above, the routing protocols work well posed to increase the survivability of the nodes
when all nodes cooperate. However, in real settings, and protect their assets. For example, a few of the
the cooperation assumption may not be valid. If surveyed above routing protocols have recently
the nodes are small, low-power devices, they are been patched with security mechanisms: secure-
limited in energy and may be motivated to have a SPIN (Xiao, Wei, & Zhou, 2006) adds crypto-
selfish,noncooperativebehaviourwhen itcomes
graphic functions to SPIN that do not require too
to relaying the messages from other nodes. They much memory and processing power; and secure
can save power by not forwarding the messages directed diffusion (SDD) (Wang, Yang, & Chen,
received from the neighbours. Furthermore, self- uses
)05 2 anefficientone-waychainratherthan
ishness is not the only misbehaviour that has to asymmetric cryptography, which is too complex
be addressed. An attacker can compromise nodes for the resource-constrained nodes, to increase
and then prevent packets to reach their destina- the security of the protocol. Indeed, the cost of
tion. For example, in MIX, a few neighbour nodes the protection mechanisms has to really be taken
may lie about their current energy level to avoid into account due to the resource-constraints of
having to forward messages, or worse, they may the nodes. Cryptographic solutions may be used
not forward messages when asked to do so. In the for confidentiality and integrity of data but th
latter case, these misbehaving nodes carry out an may be too heavy in some settings. Any protection
attack commonly called sink hole attack (Pirzada mechanism needs to be analysed with regard to its
& McDonald, 2005). A sensor behaving like a sink- computation cost, its memory cost, its communica-
hole will drop any packet it receives. In a worm tion cost, and its energy cost (Hwang et al., 2004).
hole attack (Hu, Perrig, & Johnson, 2002), two In the next subsections, we detail two fast-evolv-
colluding sensors create a tunnel between them. ing protection mechanisms: cryptographic key
Thefirstnodemaybesituatedintheproximity deployment ofand management among the nodes,
the base station and replays the messages received and computational trust management.
by the second one. The tunnel is a fast path and
will encourage the nodes to use it for routing. This key deployment and Management
attack is hard to detect because the authentic-
ity and confidentiality security requirements Afirstlineof aredefenceistheuseofcryptography
maintained. Once the packets are routed through to encrypt the communication between the nodes.
the wormhole, denial-of-service attacks can be However, this requires the distribution/deployment
enforced. Packets will be forwarded selectively or of secrets in the nodes to allow them to encrypt the
Survivability of Sensors with Key and Trust Management
communication with this secret. The distribution and it seems viable to extract the key from one
of keys is usually followed by a shared key dis- node as they are cheap and not so well protected
covery phase and a path key establishment phase. (at least in nonmilitary application scenarios). The
Other elements that need to be considered are key second approach is to have pairwise keys for all
revocation, rekeying, and addition of nodes. Two sensors on each sensor, which is impractical due to
neighbour nodes can communicate only if they the memory constraints of the sensors. Saurabh and
sharethesamekey.Networkresilience isdefined
Mani (2004) argue that previous approaches relying
as the number of captured nodes before an attacker on keying management and cryptographic means
is able to control the network. Network connectiv- are not suitable for small nodes, such as sensors,
ityisdefinedastheprobabilitythattwo due to nodes can constraints or the fact that
their resource
communicate.Rekeyingoverheadisdefined it isas the
easy to recover their cryptographic material
networktrafficneededtoestablishabecause newkey.they
Both are cheap and not fully tamper-proof.
network resilience to node capture and pair-wise For n nodes deployed in the network, each node
connectivity depends on the size of keying material would have to store n-1 keys. Even if the keys are
stored on the nodes. While public key cryptogra- small (e.g, 64 bits), for a network of tens of thou-
phy is not feasible due to limited computational sands of nodes the storage space required for the
resources, the distribution of secret keys to each keys is impractical. It is worth noting that only a
sensor is assumed to be feasible in the literature. small fraction of the keys may be used in fixed
As we underlined above, the nodes are low cost de- standard sensors networks because the density of
vices without strong tamper proof hardware. Thus, the network may be low and a sensor may only be
a captured node will, at some stage, permit access able to communicate with few neighbouring nodes
to its cryptographic material. Key management with direct communication. Eschenauer and Gligor
schemes (Chan, Perrig, & Song, 2003; Moham- (2002) mitigate the memory constraints problem
med & Mohamed, 2005) try to increase network whilst keeping the key resilience level at a target
resilience to node capture while maintaining the threshold level. If we consider N the number of
performance goals and minimising the resulting nodes in the network and p the probability that
cost of lower network connectivity due to sensors two nodes share a common key, then each node
who do not share similar secret keys. There is a will store a set of Np keys, called a key ring. The
trade-off between the energy spent, the cost of keys are selected from a larger key pool. Each
used memory for protection, and the security level nodestoresasetofkeysandanidentifierforeach
reached (Hwang et al., 2004). key. A shared key discovery phase between the
Static keying means that the nodes have been neighbours is necessary after the deployment. Each
allocated keys off-line before deployment, that node broadcasts the identifiers of the keys in it
is, predeployment. The existing solutions assign key ring. If the nodes share a common key, there
keys either randomly or based on deployment is a link between them. If a common key between
information, for example, the predicted neighbour- two nodes does not exist, then a path key establish-
hood of the nodes. A basic scheme is to generate ment procedure takes place. An alternative is to
p keys off-line and the nodes are allocated k keys use location information to improve connectivity.
randomly among these p keys. After deployment, Polynomial-based key predistribution schemes
anodebroadcastsasetofidentifiers(Chan ofits et known
al., 2003) use a random symmetric t-de-
keys and can communicate with the nodes that gree polynomial P. A polynomial shareisdefined
have at least one common key. The advantage as a partially evaluated polynomial: P(i,y) or
of static keying is no communication overhead P(y,i). Based on the polynomial share, each node
after the deployment. The easiest way to secure a can compute a common key: f(i,j). The scheme is
network is to give a unique key at predeployment resistant to t collusions.
time. However, in this case, if only one node is Dynamic keying means that the keys can be
compromised the whole network is compromised (re)generated after deployment. New keys are cre-
Survivability of Sensors with Key and Trust Management
Survivability of Sensors with Key and Trust Management
The decision making of the trust engine uses The relation with trust evidence comes from
two subcomponents: the fact that an opinion about a binary event can
be based on statistical evidence. Information on
1. A trust module that can dynamically assess posterior probabilities of binary events are con-
the trustworthiness of the requesting entity verted in the b, d, and u elements in a value in
based on the trust evidence of any type stored the range [0,1]. The trust value (w) in the virtual
in the evidence store. identity (S) of the virtual identity (T) concerning
2. A risk engine that can dynamically evaluate the trust context p is:
the risk involved in the interaction, again
based on the available evidence in the evi- wTp ( S ) = {b, d , u}
dence store.
The subjective logic provides more than 10
A common decision-making policy is to choose operators to combine opinions. For example, the
(or suggest to the user) the action that would main- recommendation (⊗) operator corresponds to use
taintheappropriatecost/ benefit.For example,
the in trustworthiness (RT) to adjust
recommending
the sensor network application domain, we have to a recommended opinion. Jøsang’s approach can be
balance ejecting a message or forwarding it based used in many applications since the trust context
on how much energy has to be spent and risk of is open. In the case of our networks of nodes,
failure in each case to successfully reach the base we can apply this kind of triple and statistical
station or sink. In the background, the evidence evidence count to compute the node trust value.
manager component is in charge of gathering For example, in case of a sink base station and a
evidence such as recommendations, comparisons network of nodes, the messages sent by a node may
between expected outcomes of the chosen actions be acknowledged by the base station by sending
and real outcomes, and so forth. These pieces of an acknowledgement message with strong energy
evidence are used to update risk and trust levels. transmission. Depending on which neighbour node
Thus, trust and risk follow a managed lifecycle. was used to forward the message, the sending
Although ‘subjective logic’ (Jøsang, 2001) does node can count how many times the sent mes-
not use the notion of risk, it can be considered as a sages were acknowledged via this neighbour node.
trust engine that integrates the element of ignorance Each neighbour node is given a triple (b, d, u) as
anduncertainty,whichcannotbereflected bymere
its trust value. If a message is acknowledged, b is
probabilities but is part of the human aspect of increased by one. If after a timeout, the message
trust. In order to represent imperfect knowledge, has still not been acknowledged, d is updated by
an opinion is considered to be a triplet whose ele- one. From the sending time of the message to the
ments are belief (b), disbelief (d), and uncertainty acknowledgement or the timeout, u is increased
(u), such that: by 1 (and then decreased by 1). Concerning the
memory/protection cost trade-off (Hwang et al.,
b + d + u=1 { b, d, u}∈[0,1]3 2004), it seems to be a reasonable assumption be-
Evidence
making Decision
Store Virtual
Identities
Risk Analysis
Survivability of Sensors with Key and Trust Management
Survivability of Sensors with Key and Trust Management
example, solar cells in new nanomaterial are much Cardei, M. (2005). Energy-efficienttarget - cover
moreexible
fl thanbefore.Inthiscase,the attacks
age in wireless sensor networks. Paper presented
may be turned towards the external harvested at the INFOCOM.
energy sources.
Carle, J., & Simplot-Ryl, D..)02Energy-
4( effi -
The advances in nanotechnologies may also
cient area monitoring for sensor networks. IEEE
mean that even smaller nodes are possible. In
Computer, 37(2).
this case, it is likely that current cryptographic
mechanisms will have to be scaled down. Rout- Chan, H., Perrig, A., & Song, D. (2003). Random
ing and communication between these nanoscale key predistribution schemes for sensor networks.
nodes may also change dramatically. Quantum Paper presented at the IEEE Security and Privacy
computing may introduce even further probabilistic Symposium.
mechanisms with less determinism at the node
level than at the nodes as a whole level. In this Chatzigiannakis, I., Dimitriou, T., Nikoletseas,
case, decision-based under uncertainty may still S., & Spirakis, P. (2006). A probabilistic algo-
benefitfromtheuseofcomputationaltrust. rithmforefficientandrobustdatapropagationi
smart dust networks. Elsevier Journal of Ad-hoc
Networks, 4(5).
conclusIon Despotovic, Z., & Aberer, K. (2004). Trust and
reputation management in P2P networks. Paper
Due to the resource-constraints of the nodes presented at the International Conference on E-
involved in mobile ad hoc or sensors networks Commerce Technology.
settings, new security mechanisms are needed
to guarantee the survivability of these networks Douceur, J. R. (2002). The Sybil attack. Paper
of nodes. However, these new security mecha- presented at the 1st International Workshop on
nisms have a strong constraint with regard to Peer-to-Peer Systems.
their resource consumption. Computational trust Eschenauer, L., & Gligor, V. (2002). A key manage-
management is one of these new schemes that are ment scheme for distributed sensor networks. Paper
proposed because the nodes are interdependent presented at the ACM Conference on Computer
and need to collaborate to achieve more that what and Communications Security.
they can achieve alone. There are still limitations
though: both the listening mode and the communi- Friss, H. T. (1946). A note on a simple transmis-
cation overhead are costly in terms of energy. The sion formula. Paper presented at the Proceedings
cryptographic tasks involved in key management of IRE.
consume less energy but rekeying still necessitates Handy, M. J., Haase, M., & Timmermann, D.
extra communication. There is still some work (2002). Low energy adaptive clustering hierarchy
ahead to fine-tune and combine these - new
with secu
deterministic cluster-head selection. Paper
rity mechanisms for optimal survivability, being presented at the International Conference on Mobile
survivability at the node level or at the network and Wireless Communications Networks.
of nodes level.
Hu, Y., Perrig, A., & Johnson, D. (2002). Wormhole
detection in wireless ad hoc networks (Tech. Rep.).
rEfErEncEs Rice University.
Hubaux, J.P.- , Buttyán, L., & Capkun, S..) 1 02 (
Buchegger, S., & Le Boudec, J.-Y. (2004). A robust The quest for security in mobile ad hoc networks.
reputation system for P2P and mobile ad-hoc net- Paper presented at the ACM Symposium on Mobile
works. Paper presented at the Second Workshop on Ad Hoc Networking and Computing.
the Economics of Peer-to-Peer Systems.
Survivability of Sensors with Key and Trust Management
Hwang, D. D., Lai, B.-C. C., & Verbauwhede, sensor networks. Paper presented at the 2nd ACM
I. (2004). Energy-memory-security tradeoffs in International Workshop on Performance Evalua-
distributed sensor networks. Paper presented at tion of Wireless Ad hoc, Sensor, and Ubiquitous
the Ad-hoc Now Conference. Networks,Montreal,Quebec,Canada.
Intanagonwiwat, C., Govindan, R., Estrin, D., Ozturk, C., Zhang, Y., & Trappe, W. (2004).
Heidemann, J., & Silva, F. (2003). Directed dif- Source-location privacy in energy-constrained
fusion for wireless sensor networking. IEEE/ACM sensor network routing. Paper presented at the
Transactions on Networking, 11. 2nd ACM Workshop on Security of Ad hoc and
Sensor Networks.
Jøsang, A. (2001). A logic for uncertain prob-
abilities. Fuzziness and Knowledge-Based Systems, Perkins, C. E., & Royer, E. M. (1999). Ad hoc on-
9 (3). demand distance vector routing. Paper presented
at the 2nd IEEE Workshop on Mobile Computing
Kulik, J., Heinzelman, W. R., & Balakrishnan, H.
Systems and Applications.
(2002). Negotiation-based protocols for dissemi-
nating information in wireless sensor networks. Pirretti, M., Zhu, S., Narayanan, V., McDaniel, P.,
Wireless Networks, 8. Kandemir, M., & Brooks, R. R. (2005). The sleep
deprivation attack in sensor networks: Analysis
Maltz, D. A. (2001). On-demand routing in multi-
and methods of defense. Paper presented at the
hop wireless ad hoc networks. Unpublished doc-
Innovations and Commercial Applications of
toral thesis, Carnegie Mellon University.
Distributed Sensor Networks Symposia.
Marsh, S. (1994). Formalising trust as a compu-
Pirzada, A. A., & McDonald, C. (2005). Circum-
tational concept. Unpublished doctoral thesis,
venting sinkholes and wormholes in wireless sen-
University of Stirling, Department of Mathematics
sor networks. Paper presented at the International
and Computer Science.
Workshop on Wireless Ad-hoc Networks.
Martin, T., Hsiao, M., Ha, D., & Krishnaswami, J.
Powell, O., Jarry, A., Leone, P., & Rolim, J. (2006).
(2004). Denial-of-service attacks on battery-pow-
Gradient based routing in wireless sensor net-
ered mobile computers. Paper presented at the 2nd
works: A mixed strategy (Tech. Rep.). University
IEEE Pervasive Computing Conference.
of Geneva.
McKnight, D. H., & Chervany, N. L. (2000). What
Romano, D. M. (2003). The nature of trust: Con-
is trust? A conceptual analysis and an interdis-
ceptualandoperationalclarification. Unpublished
ciplinary model. Paper presented at the Americas
doctoral thesis, Louisiana State University.
Conference on Information Systems.
Saurabh, G., & Mani, B. S. (2004). Reputation-
Michiardi, P., & Molva, R. (2002). Core: A col-
based framework for high integrity sensor net-
laborative reputation mechanism to enforce node
works. Paper presented at the 2nd ACM Workshop
cooperation in mobile ad hoc networks. Paper pre-
on Security of Ad hoc and Sensor Networks,
sented at the IFIP TC6/TC11 Sixth Joint Working
Washington D.C.
Conference on Communications and Multimedia
Security. Schurgers, C., & Srivastava, M. B. (2001). Energy
efficientroutinginwirelesssensor . Paper networks
Miranda, H., & Rodrigues, L. (2003). Friends and
presented at the MILCOM Communications for
foes:Preventingselfishnessinopenmobileadhoc
Network-Centric Operations: Creating the Infor-
networks. Paper presented at the 23rd International
mation Force.
Conference on Distributed Computing Systems.
Seigneur, J.-M. (2005). Trust, security and privacy
Mohammed, A. M., & Mohamed, E. (2005). A
in global computing. Unpublished doctoral thesis,
study of static versus dynamic keying schemes in
Trinity College Dublin.
0
Survivability of Sensors with Key and Trust Management
Trustcomp. (n.d.). Retrieved August 4, 2006, from Reactive Routing Protocols: Compute the
http://www.trustcomp.org/ route between two nodes only when the route is
needed, that is, ‘on demand.’
Twigg, A. (2003). A subjective approach to rout-
ing in P2P and ad hoc networks. Paper presented Energy-aware Routing Protocols: Explicitly
at the First International Conference on Trust take into account the energy consumption as a
Management. parameter.
Wang, X., Yang, L., & Chen, K. (2005). SDD: To Eject: Means that the sensor increases the
Secure directed diffusion protocol for sensor. power of transmission to be able to reach the base
Security in ad-hoc and sensor networks (Vol. station in one transmission.
3313). Springer.
Static Keying: Means that the nodes have been
Weiser, M. (1991). The computer for the 21st century. allocated keys off-line before deployment, that is,
ScientificAmerican. predeployment.
Xiao, D., Wei, M., & Zhou, Y. (2006). Secure- Dynamic Keying: Means that the keys can be
SPIN: Secure sensor protocol for information via (re)generated after-deployment.
negotiation for wireless sensor networks. Paper
Network Resilience: The number of captured
presented at the Conference on Industrial Electron-
nodes before an attacker is able to control the
ics and Applications.
network.
Ye, F., Chen, A., Liu, S., & Zhang, L. (2001). A
Network Connectivity: The probability that
scalable solution to minimum cost forwarding in
two nodes can communicate.
large sensor networks. Paper presented at the Tenth
International Conference on Computer Commu- Rekeying Overhead: The network traffic
nications and Networks. needed to establish a new key.
Trust: Trust ‘is a subjective assessment of
kEy tErMs another’sinfluenceintermsoftheextentofone’s
perceptionsaboutthequalityandsignificanceo
Node: A node may go from the tiny fixed another’s impact over one’s outcomes in a given
deployed sensor to the mobile unplugged mobile situation, such that one’s expectation of, openness
device. to,andinclinationtowardsuchinfluenceprovide
a sense of control over the potential outcomes of
Node(s) Survivability: Emphasises that the
the situation’ (Romano, 2003).
scope of the nodes mission may span more than one
node. The survivability of the node itself may be Computed Trust Value: A nonenforceable
more important than the survivability of the other estimate of the entity’s future behaviour in a given
nodes or the mission may be that the majority of context based on evidence (“Trustcomp,” n.d.).
the nodes survive at the expense of the survival
ofonespecificnode.
Chapter XL
Fault Tolerant Topology
Design for Ad Hoc and
Sensor Networks
Yu Wang
University of North Carolina at Charlotte, USA
AbstrAct
Fault tolerance is one of the premier system design desiderata in wireless ad hoc and sensor networks.
It is crucial to have a certain level of fault tolerance in most of ad hoc and sensor applications, espe-
cially for those used in surveillance, security, and disaster relief. In addition, several network security
schemes require the underlying topology provide fault tolerance. In this chapter, we will review various
fault tolerant techniques used in topology design for ad hoc and sensor networks, including those for
power control, topology control, and sensor coverage.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Ad hoc and sensor networks trigger many chal- the case in sensor networks where the equipment
lenging research problems, as they intrinsically is restricted to a minimum due to limitations in
have many special characteristics and unavoidable cost and weight. First of all, battery driven sensor
limitations, compared with other wired or wireless nodes may stop working because they run out of
networks. An important requirement of ad hoc and energy supply. Second, the shared wireless medium
sensor networks is that they should be self-organiz- is inherently less stable than wired media. This
ing, that is, transmission ranges and data paths are situation results in more packet losses and lower
dynamically restructured with changing topology. throughput. Third, sensor networks often operate
Energy conservation and network performance in potentially hostile or at least harsh and uncon-
are probably the most critical issues in ad hoc and ditioned environments. Tiny sensor devices with
sensor networks, since wireless devices (such as limited security techniques are usually vulnerable
tiny sensor nodes in sensor networks) are usually from various attacks. Another aspect that has an
powered by batteries only and have limited com- influence on the required degree of redundancy
puting capability and memory. Topology control and fault-tolerance is mobility, which is a key is-
and power control are two primary techniques sue in ad hoc networks. Therefore, reliability and
with respect to energy-efficiency in adfault-tolerancehoc and are emerging as premier and crucial
sensor networks. system design desiderata in ad hoc and sensor
The topology control technique is to let each networks. In addition, fault-tolerance design is
wireless device locally select certain neighbors also one of basic components in ad hoc and sensor
for communication, while maintaining a topol- network security.
ogythatcansupportenergyefficientrouting and strongly depends on the network
Fault tolerance
improve the overall network performance. Unlike connectivity. To make fault tolerance possible,
traditional wired networks and cellular wireless firstofall,theunderlyingnetworktopologymust
networks, mobile devices are often moving dur- be k-connected for some k > 1, that is, given any
ing the communication, which could change the pair of wireless devices, at least k disjoint paths are
network topology in some extent. Hence it is more needed to connect them. With k-connectivity, the
challenging to design a topology control algorithm network can survive k-1 node/link failures. Tradi-
for ad hoc and sensor networks. The power control tional topology control or power control solutions
technique is to control the network topology by cannot cope with those fault-tolerance require-
adjusting the wireless device’s transmission range. ments, since fault-tolerance is usually sacrifice
Reducing the transmission range can save the power forpowerefficiency.Inordertobepowerefficient,
consumption at each node and reduce the signal topology control and power control algorithms try
interference among neighbors, but it may hurt the to reduce the number of links and thereby reduce
connectivity of the induced topology. Power control the redundancy available for tolerating node and
tries to minimize the power consumption used link failures. On the other hand, to achieve fault-
by all nodes while maintaining a topology that is tolerance, existing algorithms usually sacrific
connected and has certain desired properties such powerefficiencyconcern.Thus,topologydesign
as fault tolerance. for ad hoc and sensor networks needs to consider
Although fault tolerance has been studied bothpowerefficiencyandfault-tolerance.
for several decades in computer and VLSI sys- This chapter is focused on fault tolerant topol-
tems, limited resources on small devices, lack ogy design for ad hoc and sensor networks. In the
of centralized control, and high mobility make second section, fault tolerant techniques used in
fault-tolerance much harder to achieve in ad hoc power control protocols (such as power assignment
and sensor networks. One key characteristic of and critical transmission range) are reviewed. In
such networks is that node and link failure is an the third section, we survey fault tolerant design
event of non-negligibility, in some cases even as in topology control, that is, how to design fault
a regular or common event. This is particularly tolerant geometric or hierarchical structures. In the
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
fourth section, fault tolerant coverage and protec- Recently, applying stochastic geometry, Pen-
tion in sensor networks are discussed. There is a rose (1999), Bettstetter (2002), Li, Wang, Wan, and
conclusion in the fifth section, whileYi the chapter
(2003), and Wan and Yi (2004) studied CTR to
endswithreferencesandkeydefinitions. achieve the k-connectivity with certain probability
for a network when wireless nodes are uniformly
and randomly distributed over a two-dimensional
fAult tolErAnt dEsIgn In region. Penrose (1999) shows that with high prob-
PowEr control ability the network becomes k-connected when the
minimum node degree in the communication graph
Fault tolerant design in power control studies how becomes k. In other words, the characterization of
to set the transmission range for each node in a net- the CTR for k-connectivity can be derived by ana-
work such that the induced topology is k-connected, lyzing the probability of the relatively simpler event
that is, the network can survive under k-1 failures. that every node in the network has a degree at least
Obviously, by setting the transmission range suf- k. Based on results from Penrose, Li et al. (2003)
ficientlylarger,theinducednetworktopology firstderives will theupperboundandthelowerbound
be k-connected without doubt. However, as power of the CTR for k-connectivity in a two-dimensional
is a scarce resource in ad hoc and networks, it is network. They proved that, given n wireless nodes
important to save the power consumption without which are randomly distributed in a unit square,
losing the network connectivity. Thus, the question if the transmission range rn of wireless devices
ishowtofindtheminimumtransmissionrange satisfies, np ⋅ rn2 ≥ ln n + (2k − 3) ln ln n − 2ln(k − 1)
such
that the induced topology is multiply connected. !+ α + 2ln(8(k − 1) / (2k −1 p ))then G(V, r n) is k-con-
− e− α
There are two sets of research in this direction: nected with probability at least e as n goes to
critical transmission range for random networks infinity. Here K is any real number. Wan and Yi
and minimum power assignment optimization for (2004) close the gap between the upper bound
static networks. and the lower bound by giving an exact formula
Given n static wireless nodes V, each with for the probability of k-connectivity when n goes
transmission range rn, the wireless network can be to infinity. They show the CTR for
k-connectiv-
modeled by graph G(V,r n) in which two nodes are ity: rn = (log n + (2k − 3) log log n + f (n)) / pn
connected if their Euclidean distance is no more where f(n) is an arbitrary function such that
n →∞ f ( n) = +∞
than rn. The minimum range rn used by all wireless lim . Bettstetter (2002) also investi-
nodes such that the induced network topology has gated the minimum node degree and k-connectivity
certain property (such as connectivity) is called and constructed various simulations to verify his
the critical transmission range (CTR). The CTR analytical expressions. However his theoretical
for connectivity has been studied in the literature result does not consider the boundary effects (as-
(Gupta & Kumar, 1998; Penrose, 1997; Ramanathan sume the network is distributed in a very large
& Rosales-Hain, 2000; Sanchez, Manzoni, & Haas, area), which is impossible in real networks. Even
1999). Characterizing the CTR for connectivity though the theoretical results of the CTR for k-con-
(or k-connectivity) helps the system designer to nectivity has been derived, the theoretical bounds
answer fundamental questions, such as: (1) given a onlyholdwhenngoestoinfinity.Howtosetthe
number of nodes n to be deployed in a region, what transmission range in a real network where n is a
is the minimum value of transmission range that small pratical integer is studied by Li et al. (2003)
ensures network connectivity (or k-connectivity)by ?; conducting simulations. Another related work
or (2) given transmission range of certain technol- is about the CTR for connectivity with Bernoulli
ogy, how many nodes need to be distributed over nodes. So far we assume that all nodes will always
a given region to ensure network connectivity (or function properly, however, in certain scenarios,
k-connectivity)? nodes may be fault (or put into sleep) with a certain
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
probability p > 0. Wan and Yi (2005) model this Clementi, Penna, & Silvestri, 2000; Clementi,
scenario using Bernoulli nodes and studied the Huiban, Penna, Rossi, & Verhoeven, 2002; Kirou-
CTR for connectivity with Bernoulli nodes. sis, Kranakis, Krizanc, & Pelc, 2000; Ramanathan
All analytical results on CTR assume wireless & Rosales-Hain, 2000). Along this line, Calinescu
nodes are randomly distributed and the transmis- and Wan (2006), Cheriyan, Vempala, and Vetta
sion range of every node is equal. These assump- (2002), and Hajiaghayi, Immorlica, and Mirrokni
tions are not always true for ad hoc and sensor (2003) consider the minimum total power assign-
networks in practice. Another power control ment while the resulting network is k-connected (or
technique is to allow each wireless device to adjust (k-1) fault tolerant). This problem has been shown
its transmission power according to its neighbors’ to be NP-hard too. Many of the best-known ap-
positions. A natural question is then, given a static proximation algorithms (e.g., Cheriyan et al., 2002)
network, how to assign the transmission power for are based on linear programming (LP) approaches.
each node such that the network is k-connected However, Haijaghayi et al. (2003) show that for the
with optimization criteria minimizing the total minimum total power assignment for k-connectiv-
(or maximum) transmission power assigned. This ity problem, the natural integer LP formulation has
kind of optimization questions is called minimum anintegralitygap ofimplying
n/k), Ω( that there is
power assignment optimization. See Figure 1 for no approximation algorithm based on LP with an
illustrations of minimum total power assignment approximationfactorbetter n/k). thanΩ(
for k-connectivity (k =1or.) 2 Some heursitics (Bahramgiri, Hajiaghayi, &
The minimum maximum power assignment Mirrokni, 2002; Ramanathan & Rosales-Hain,
problem can be solved in polynomial time by us- 2000) are proposed as well. Bahramgiri et al.
ing a simple binary-search-based approach (Lloyd, (2002) show that the cone-based topology control
Liu, Marathe, Ramanathan, & Ravi, 2002). The (CBTC) algorithm by Wattenhofer, Li, Bahl, and
minimum total power assignment for connectivity Wang (2001) and Li, Halpern, Bahl, Wang, and
problemwasfirststudiedandprovedtobeWattenhofer NP-hard (2001) can be extended to slove the
by Chen and Huang (1989), in which the induced k-fault tolerance. Haijaghayi et al. (2003) also
communication graph is strongly connected while constructed examples which demonstrate that
the total power assignment is minimized. Recently, the approximation factor for CBTC algorithm
this problem has been heavily studied and many is at least n/k).Ω( Recently, Lloyd et al. (2002)
approximation algorithms have been proposed presented a centralized 8(1-1/n)-approximation
when the network is modeled using symmetric or for the minimum total power assignment for 2-
asymmetric links (Althaus, Calinescu, Mandoiu, connectivity problem. Calinescu and Wan (2006)
Prasad, Tchervenski, & Zelikovsly, 2003; Cali- further show that their algorithm could achieve 2k-
nescu, Kapoor, Olshevsky, & Zelikovsky, 2003; approximation ratio for the minimum total power
Figure 1. Illustrations of power control: minimum total power assignment for connectivity
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
assignment for k-connectivity problem. Haijaghayi Geometric topology control algorithms assume
et al. (2003) present algorithms minimizing power each node knows the position information of itself
while maintaining k-connectivity with guarantee. and its neighbors and all nodes have the same
Their first algorithmO(kK) gives an
-approxima- transmission range. Using this geometric infor-
tionwhere K is the best approximation factor
mation, eachfor
node makes a local decision to keep
the related problem in wired networks (the best some links and remove other links. Well-known
K so far is in O(log k) by Cheriyan et al., 2002)). geometric topologies used in ad hoc networks in-
The second algorithm is based on an approxima- clude local minimum spanning tree (LMST) (Li,
tion algorithm introduced by Kortsarz and Nutov Hou, & Sha, 2003), relative neighborhood graph
(1994). It is more complicated and can achieve O(k) (RNG) (Bose, Morin, Stojmenovic, & Urrutia,
approximationforgeneralgraphs.Their first
2001; two Gonzalez, & Stojmenovic, 2002),
Seddigh,
algorithms are centralized algorithms. Then they Gabriel graph (GG) (Bose et al., 2001; Karp &
present two distributed approximation algorithms Kung, 2000), Yao graph (YG) (Li, Wan, & Wang,
for the cases 2- and 3-connectivity in geometric 2001; Li, Wan, Wang, & Frieder, 2002) and CBTC
graphs with constant approximation ratios. Both (L. Li et al., 2001; Wattenhofer et al., 2001). See
these algorithms use the distributed minimum Figurefor 2 illustrationsoftheirdefinitions.Allo
spanning tree algorithm. these topologies do guarantee the connectivity but
not fault tolerance. Therefore, variations of these
topologies have been proposed to improve the fault
fAult tolErAnt dEsIgn In tolerance, that is, preserving k-connectivity.
toPology control Li and Hou (2004) present a variation of LMST
algorithm to construct a k-connected topology,
Topolgoy control algorithms have been proposed called fault-tolerant local spanning subgraph
to maintain network connectivity while improving (FLSSk). Similarly to LMST, algorithm to build
energyefficiencyandincreasingnetworkcapacity FLSS k
is composed of three phases: information ex-
by solely keeping selected links. However, by reduc- change, topology construction, and determination
ing the number of links in the network, topology of transmit power. The main difference between
control actually decreases the degree of routing LMST and FLSSk is in the topology construction
redundancy. As a result, the induced topology is phase: instead of building a local MST on its
more susceptible to node failures or departures. neighbor (such as the two local trees for u and v
Thus, in this section we review the fault tolerant in Figure 2[a]), a node builds a spanning subgraph
design which enforces k-connectivity in the topol- to preserve k-connectivity using a simple greedy
ogy control process. Usually, there are two sets of algorithm. Li and Hou prove that FLSSk guarantees
solutions for topology control: geometric topology the k-connectivity and maintains bidirectionality
(flatstructure) andbackbone (hierarchical
virtual for all the links in the topology while reducing the
structure). power consumption.
Figure2.Illustrationsofthedefinitionsofdifferenttopologies
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Zhou, Das, and Gupta (2005) generalize the Ties are broken arbitrarily. X.-Y. Li et al. (2003)
RNG structure to k-RNG structure to preserve provedthatthemodifiedYaostructure p,k
) can (YG
the k-connectivity for sensor networks. In RNG, a preserve the k-connectivity. In addition, YGp,k is a
link uv exists if and only if there is no other node length/power spanner with bounded node degree
w with edges uw and wv satisfying ||uw||<||uv|| even when (k-1) nodes fault. Here a length/power
and ||wv||<||uv|| simultaneously. Here ||.|| spanner is thehas constant length spanning ratio and
Euclidean distance. See Figure 2(b). In k-RNG, an power spanning ratio, which indicates the topology
edge exists between u and v if and only if there are ispowerefficientforunicastrouting.
at most (k-1) nodes w that satisfy ||uw||<||uv|| and Bahramgiri et al. (2002) also discuss how to
||wv||<||uv||. Obviously, similar to RNG, k-RNG generalize the CBTC algorithm to ensure k-con-
can be constructed locally. Zhou et al. proved nectivity. Basically, for each node, it enlarges the
that k-RNG is k-connected if the original com- transmission range until it reaches its maximum
munication graph is k-connected. Notice that it power or the maximum angle between two con-
is also easy to show we can use the same idea to secutive neighbors of the induced topology is at
generalize GG structure to k-GG while preserving most2 /(3k). See Figure 2(e). Finally, it eliminates
the k-connectivity. There is an edge uv in k-GG one-directional edges and keeps bidirectional
if and only if there are at most (k-1) nodes inside edges. Bahramgiri et al. (2002) proved the resulted
the disk with uv as the diameter. See Figure 2(c). topology is k-connected if the original graph is
The nice property of GG and k-GG is that their k-connected. We can also prove the topology is a
power spanning ratios are equal to one (X.-Y. Li length spanner even with (k-1) nodes faults. How-
et al., 2001, 2002). In other words, GG/k-GG can ever, unlike YGp,k, the topology does not bound the
keep all links on least power consumption paths node degree. A counter example is given by X.-Y.
in the original communication graph. Notice that Li et al. (2003), so is an enhancement method to
LMST/FLSSk and RNG/k-RNG do not have this bound the node degree.
property. While all geometric structures above are at fl
X.Y.- Lietal.modifiy
) 30 2 ( theYaostructure structures, there is another set of structures, called
as follows such that the structure is k-connected. hierarchical structures, widely used in ad hoc and
Each node udefinesany p equally-separated rays sensor networks. Instead of involving all nodes
originated at u, where p >.6Theseraysdefinep to relay packets for other nodes, the hierarchical
cones inside the transmission range. Figure 2(d) topology control protocols pick a subset of nodes
shows an example with p =cones.
8 Ineachcone,u to serve as the cluster-heads. These cluster-heads
chooses the k closest nodes in that cone, if there is form a virtual backbone and forward packets for
any, and adds directed links from u to these nodes. other nodes. The structure used to build this virtual
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
backbone is usually a (connected) dominating set. on the authors’ previous method for 1-CDS. The
Many distributed clustering (or dominating set) last algorithm (color-based k-CDS constriction,
algorithms have been proposed in the literature CBKC) is a hybrid paradigm that enables 1-CDS
(e.g., Alzoubi, Wan, & Frieder, 2002; Das & algorithms to construct a k-CDS with high prob-
Bharghavan, 1997; Wan, Alzoubi, & Frieder, 2002; ability in relatively dense networks. It is a hybrid
Wu & Li,,.)02All
91 these algorithms first of probabilistic and deterministic approaches.
form several clusters where all cluster-heads form Besides k-DS and k-CDS, there are other tech-
a dominating set. Each node either is a cluster-head niques to enhance the fault tolerance of virtual
(or called dominator) or belongs to one cluster (i.e., backbones. Chen and Son (2005) present methods
it is dominated by a dominator). All the cluster- to add necessary redundant nodes to the simple
heads can then be connected via several additional CDS backbone, which results in a higher vertex
gateways to form the virtual backbone. However, a connectivity degree. They also identify several
single node failure may cause the backbone to be factors and synchronization methods that may
broken in these algorithms. Thus, a fault-tolerant affect the redundant node selection. For example,
design is needed for these backbones too. the nodes in CDS would like to select nodes with
Kuhn, Moscibroda, and Wattenhofer (2006) more power or higher degree or some combination
studied the k-dominating set (k-DS)problem:find of factors. Wang, Wang, and Li (2006) propose
a set of nodes such that each of the (other) nodes is an efficient distributed method to construct
dominated by at least k nodes from this set. The set weighted backbone with low cost. By assuming
of such nodes is called a k-dominating set. Thus, each node has a cost, they can construct a weighted
the backbone can survive (k-1) node failures in CDS while the total cost of the CDS is bounded
the k-dominating set. For example, black nodes by a constant from the optimal. If each node can
v1 and v3 in Figure 3(b) form a DS for the network estimate its probability of being faulty and we treat
in Figure 3(a), while black nodes v3, v4, and v5 in it as the weight, we can use the algorithm by Y.
Figure 3(d) form a 2-DS. Kuhn et al. (2006) give Wang et al. (2006) to build a fault-tolerant back-
two distributed approximation algorithms for bone. Notice that building the most fault-tolerant
the k-minimum dominating set problem in two backboneisequivalenttofindingaCDSwiththe
different models: general graphs and unit disk minimum total cost.
graphs(UDG)The . firstoneisforgeneralgraphs Most of the fault tolerant topology designs
and based on LP approximation. For an arbitrary discussed so far assume the underlying commu-
parameter t, it runs in time O(t2) and achieves nication graph is k-connected. This is true when
an approximation ratio of O(t∆ log∆), where ∆
2/t
the network density is large, but for sparse network
denotes the maximal degree. The second one is it may not hold. Bredin, Demaine, Hajiaghayi,
a probabilistic algorithm for unit disk graphs. It and Rus (2005) studied an interesting problem of
runs in time O(loglogn) and achieves a constant repairing a sensor network to guarantee a speci-
approximation in expectation. fiedlevelofconnectivity.Theypresentageneric
Dai and Wu (2005) studied how to construct algorithm that determines how to establish k-con-
a k-connected k-dominating set (k-CDS) as a nectivity by placing minimum additional sensors
backbonetobalanceefficiencyandfaultgeographically tolerance. between existing pairs of sensors.
Here, a k-DS is a k-CDS if its induced topology is This problem is NP-hard, and thus their algorithm
k-connected. Figure 3(c) shows a CDS, and Figure is an approximation algorithm. They proved that the
3(e) shows a 2-CDS. Three localized k-CDS con- number of additional sensors is within a constant
struction algorithms are proposed.factor The first one absoluteminimum,for
ofthe k. anyfixed
(called k-Gossip) randomly selects virtual back- A related fault-tolerant problem in two-tiered
bone nodes with a given probability pk, where pk sensor network deployment is studied by Hao, Tang,
depends on network condition and the value of k. and Xue (2004) and Liu, Wan, and Jia (2005). A
The second one is a deterministic approach based two-tired sensor network is a cluster-based network.
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Relaynodesareplacedintheplayingfield toactas
studied the efficient recovering mechanism for
cluster-heads and to form a connected topology for cluster-head failures. However, since fault detection
data transmission in the higher tier. They are able and recovering are not the focus of this chapter,
to fuse data from sensor nodes (lower tier) in their we do not review them in detail.
clusters and send them to sinks through higher tier
topology. Hao et al. (2004) studied a fault-tolerant
relay node placement problem, where a minimum fAult tolErAnt dEsIgn In
number of relay nodes are placed such that (1) each covErAgE And ProtEctIon
sensor node can communicate with at least two
relay nodes and (2) the network of relay nodes is In sensor networks, coverage problem (Cardei &
2-connected. They proved the problem is NP-hard Wu, 2006) is also a critical issue during topology
and gave a O(Dlogn)-approximation, where D is design and sensor deployment. Usually each sensor
the diameter of the network. Notice that the ratio has a sensing range covering a small sensing region,
is not a constant but a function of the size of input. and it can sense certain kinds of events happening
Liu et al. (2005) studied a more general relay-node inside its sensing region. Thus, we say the sensor
placement problem where a minimum number of covers its sensing region. The main objective of the
relay-nodes are placed in a 2-tiered sensor network sensor network is to cover (monitor) an area A, that
such that the whole network is (1) connected or (2) is, every point in the area should be covered. Some
2-connected. They assumed that sensor nodes do applications may require different degrees of cover-
not participate in forwarding data for others. They age. A network has a coverage degree k (k-coverage)
first gave a + <)6 ( -approximation algorithm for a if every location is within the sensing range of at
1-connectivity case. Then they further proposed a least k sensors. Networks with a higher coverage
)< + 4 2 ( -approximation algorithm and a (6/T+)<+ 2 1 - degree can obtain higher sensing accuracy and be
approximation algorithm for a 2-connectivity case, morerobusttosensorfailures.Givenasensorfield
respectively,forany>< where ,0 T is the ratio of with n sensor nodes of sensing range r deployed,
the number of relay nodes placed to the number and a desired coverage degree k≥1 , minimum k-
ofsensorsinthefirstcase. coverage problem studies how to select a minimal
Thallner and Moser (2005) studied fault-tolerant subset of nodes to entirely cover all locations in
overlay topology for a fully connected network. A such that every location is within the sensing
They modeled the network as a weighted complete range of at least k different nodes. The minimum
graph, where the weight of an edge is the cost of k-coverage problem is also a well-known NP-hard
that connection. Their proposed algorithm can problem. Figure 4 illustrates a set of examples of
build and maintain a k-regular subgraph that is coverage set. Figure 4(a) shows the sensors and
k-connected and has low total weight. However, their sensing ranges. Assume that the target area
since it assumes a fully connected communication A is the big square area v1v3v9v7. Figures 4(b) and
graph, the algorithm is more suitable for an overlay 4(c) give two 1-coverage sets (black nodes), while
network (such as peer-to-peer network) than an ad Figure 4(d) gives a 2-coverage set.
hoc network. Zhou, Das, and Gupta (2004) studied the mini-
Another fault tolerant issue in topology control mum connected k-coverage problem and give a
is how to detect and recover from topology failures centralized approximation algorithm that achieves
for classical topology control protocols (not the O(log n) approximation ratio. Their method is a
fault tolerant ones we discussed above). It focuses greedy algorithm: iteratively adding a set of nodes
on the design of detection and recovering schemes which maximizes a measure called k-benefittoan
instead of redundancy topology design with certain initially empty set of nodes. The authors also pres-
redundancy (k-connectivity). For example, Stratil ent a distributed version of their algorithm.
(2005) presents an analysis of the requirements to Kumar, Lai, and Balogh (2004) studied k-cover-
tolerate crash failures in the topology with the help age problem in sensor networks where many sensors
of failure detectors. Gupta and Younis (2003) also are put to sleep for most of their lifetimes. They
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
firstproposeasleep/activeschedule,et to al.minimize
(2006) studied the minimum 1-self protec-
energy consumption, in which each sensor is active tion problem and give a centralized method with
with probability p, independently from the others. 2(1+logn) approximation ratio, using approxima-
Then they derive the critical sensing range for their tion algorithm for the minimum dominating set, and
sleep scheme such that the sensor network achieves two randomized distributed algorithms. Wang et
k-coverage with high probability. al.provide
0 27 ) ( severalefficientcentralizedand
Yang, Dai, Cardei, and Wu (2006) also studied distributed algorithms with constant approximation
the minimum connected k-coverage problem with ratios for the minimum p-self-protection problem
different coverage assumption. They assumed in sensor networks with either homogeneous or
thatthenetworkissufficientlydense sothatpoint
heterogeneous sensing radius.
coverage can approximate area coverage. Thus Not until recently have coverage and connec-
instead of covering the whole area A, they only tivity problems been studied together in sensor
required covering every sensor in area A. This networks. Xing, Wang, Zhang, Lu, Pless, and Gill
k-coverage problem is also NP-hard since it is an )052 designed
( an integrated coverage-configu
extension of the k-dominating set problem. They ration protocol to provide both certain degrees
propose a centralized approximation solution based of coverage and connectivity guarantee. Zhang
on integer linear programming. The algorithm and Hou (2005) propose a decentralized density
works by relaxing the problem to ordinary linear control algorithm to maintain sensing coverage
programming, where the variables may take real and connectivity in high-density sensor networks.
values. They also designed two distributed algo- Both Xing et al. (2005) and Zhang and Hou (2005)
rithms. One uses a cluster-based approach to select prove that if the radio range is at least twice of the
backbone nodes to form the active set; the other sensing range, complete k-coverage of a convex area
uses the pruning algorithm based on only 2-hop implies k-connectivity among the working set of
neighborhood information to reduce the number nodes. Recently, Bai, Kuma, Xua, and Lai (2006)
of active sensors. studied the optimal deployment pattern to achieve
Notice that the coverage problem studied by both 1-coverage of an area and 2-connectivity of
Yang et al. (2006) is the same problem studied by the sensors. Zhou et al. (2005) propose a set of
Wang, Zhang, and Liu (2006) and Wang, Li, and distributed algorithms to achieve both k-connected
Zhang (2007) as self-protection problem. A self- and k-covered network by using localized Voronoi
protection problem focuses on using sensor nodes and extended relative neighborhood graphs.
to provide protection to themselves instead of the
objects or the area, so that they can resist the at-
tacks targeting on them directly. A wireless sensor conclusIon
network is p-self-protected, if at any moment, for
any wireless sensor (active or non-active), there are Fault tolerance is one of the premier system design
at least p active sensors that can monitor it. D. Wang desiderata in wireless ad hoc and sensor networks.
0
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
It is crucial to have a certain level of fault tolerance age and connectivity. In Proceedings of the ACM
in most of ad hoc and sensor applications, especially MobiHoc026 .
for those used in surveillance, security, and disaster
Bettstetter, C. (2002). On the minimum node
relief. In addition, several network security schemes
degree and connectivity of a wireless multihop
(such as localized intrusion detection) require that
network. In Proceedings of the 3rd ACM Interna-
the underlying topology provide fault tolerance.
tional Symposium on Mobile Ad Hoc Networking
In this chapter we discussed various fault tolerant
and Computing (MobiHoc ’02).
techniques used in topology design, including those
for power control, topology control, and sensor Bose, P., Morin, P., Stojmenovic, I., & Urrutia, J.
coverage. Due to space limit, we did not give all (2001). Routing with guaranteed delivery in ad
of the detailed algorithms, proofs, and simulation hoc wireless networks. ACM/Kluwer Wireless
results for most techniques reviewed here. For more Networks, 7(6), 609-616.
details, please refer to the references. Though fault
tolerant topology design has attracted considerable Bredin, J. L., Demaine, E. D., Hajiaghayi, M., &
attention and has been heavily studied recently, Rus, D. (2005). Deploying sensor networks with
there are still many open problems, such as how to guaranteed capacity and fault tolerance. In Pro-
efficientlymaintaintheseproposedfault ceedings oftheACMMobihoc.502
tolerant
topologies. We strongly believe that fault tolerant Calinescu, G., Kapoor, S., Olshevsky, A., & Ze-
topology design remains one primary challenge likovsky, A. (2003). Network lifetime and power
and plays an important role in research of ad hoc assignment in ad-hoc wireless networks. In Pro-
and sensor networks. ceedings of the 11th Annual European Symposium
on Algorithms (ESA 2003).
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
Clementi, A., Huiban, G., Penna, P., Rossi, G., & ference on Mobile Computing and Networking
Verhoeven, Y.C. (2002). Some recent theoretical ad- (MobiCom).
vances and open questions on energy consumption
Khuller, S., & Vishkin, U. (1994). Biconnectivity
in ad-hoc wireless networks. In Proceedings of the
approximations and graph carvings. Journal of
3rd Workshop on Approximation and Randomiza-
ACM, 41, 214-235.
tion Algorithms in Communication Networks.
Kirousis, L. M., Kranakis, E., Krizanc, D., &
Clementi, A., Penna, P., & Silvestri, R. (2000). The
Pelc, A. (2000). Power consumption in packet
power range assignment problem in radio networks
radio networks. Theoretical Computer Science,
on the plane. In ProceedingsoftheXVIISympo -
243(1-2), 289-305.
sium on Theoretical Aspects of Computer Science
(STACS’00) (LNCS 1770, pp. 651-660). Kuhn, F., Moscibroda, T., & Wattenhofer, R.
Dai, F., & Wu, J. (2005). On constructing k-con-
(2006). Fault-tolerant clustering in ad hoc and
nected k-dominating set in wireless networks. In
sensor networks. In Proceedings of the IEEE
Proceedings of the International Parallel and
ICDCS026 .
Distributed Processing Symposium. Kumar, S., Lai, T. H., & Balogh, J. (2004). On
Das, B., & Bharghavan, V. (1997). Routing in ad-hoc
k-coverage in a mostly sleeping sensor network.
networks using minimum connected dominating
In Proceedings of the ACM MobiCom 2004.
sets. In Proceedings of the IEEE International Li, L., Halpern, J. Y., Bahl, P., Wang, Y.-M., &
ConferenceonCommunications(ICC’9. )7 Wattenhofer, R. (2001). Analysis of a cone-based
distributed topology control algorithms for wireless
Gupta, P., & Kumar, P. R. (1998). Critical power
multi-hop networks. In Proceedings of the ACM
for asymptotic connectivity in wireless networks.
Symposium on Principle of Distributed Comput-
InW.M.McEneaney,G.Yin,Q.& Zhang(Eds.,)
ing (PODC).
Stochastic analysis, control, optimization and
applications: A volume in honor of W.H. Fleming. Li, N., & Hou, J. C. (2004). FLSS: A fault-tolerant
Boston: Birkhäuser. topology control algorithm for wireless networks.
In Proceedings of the ACM MOBICOM 2004.
Gupta, G., & Younis, M. (2003). Fault-tolerant
clustering of wireless sensor networks. In Proceed- Li, N., Hou, J. C., & Sha, L. (2003). Design and
ings of the IEEE Wireless Communications and analysis of a mst-based topology control algorithm.
Networking 2003. In Proceedings of the IEEE INFOCOM 2003.
Hajiaghayi, M., Immorlica, N., & Mirrokni, V. Li, X.-Y., Wan, P.-J., & Wang, Y. (2001). Power
S. (2003). Power optimization in fault-tolerant efficient and sparse spanner for wireless ad hoc
topology control algorithms for wireless multi- networks. In Proceedings of the IEEE International
hop networks. In Proceedings of the th
9
Annual Conference on Computer Communications and
International Conference on Mobile Computing Networks (ICCCN ’01).
and Networking.
Li, X.-Y., Wan, P.-J., Wang, Y., & Frieder, O. (2002).
Hao, B., Tang, J., & Xue, G. (2004). Fault-tolerant Sparse power efficient topology for wireless - net
relay node placement in wireless sensor networks: works. In Proceedings of the th
53
IEEE Hawaii
formulation and approximation. In Proceedings of International Conference on System Sciences
the IEEE HPRS 2004. (HICSS-. ) 5 3
Karp, B., & Kung, H. (2000). GPSR: Greedy Li, X.-Y., Wang, Y., Wan, P.-J., & Yi, C.-W. (2003).
perimeter stateless routing for wireless networks. Fault tolerant deployment and topology control for
In Proceedings of the ACM International Con- wireless ad hoc networks. In Proceedings of the 4th
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
ACM International Symposium on Mobile Ad Hoc Wan, P.-J., Alzoubi, K. M., & Frieder, O. (2002).
Networking and Computing (MobiHoc ’03). Distributed construction of connected dominating
set in wireless ad hoc networks. In Proceedings of
Liu, H., Wan, P.-J., & Jia, X. (2005). Fault-tolerant
IEEE INFOCOM 2002.
relay node placement in wireless sensor networks.
In Proceedings of the COCOON 502 (LNCS Wan, P.-J., & Yi, C.-W. (2004). Asymptotic critical
3595, pp. 230-239). transmission radius and critical neighbor number
for k-connectivity in wireless ad hoc networks. In
Lloyd, L., Liu, R., Marathe, M. V., Ramanathan,
Proceedingsofthe th
ACM5 International Sympo-
R., & Ravi, S. S. (2002). Algorithmic aspects of
sium on Mobile Ad hoc Networking and Computing
topology control problems for ad hoc networks.
(MobiHoc ’04).
In Proceedings of the 3rd ACM International
Symposium on Mobile Ad Hoc Networking and Wan, P.-J., & Yi, C.-W. (2005). Asymptotic critical
Computing (MobiHoc ’02). transmission ranges for connectivity in wireless
ad hoc networks with Bernoulli nodes. In Pro-
Penrose, M. (1997). The longest edge of the random
ceedingsofIEEE 502 WirelessCommunications
minimal spanning tree. Annals of Applied Prob-
andNetworkingConference(WCNC,New ) 502
ability, 7, 340-361.
Orleans.
Penrose, M. (1999). On k-connectivity for a geo-
Wang,Y.Li,
, X.Y.- Zhang,
&, Q.Efficient
. 0 27 ) (
metric random graph. Random Structures and
self protection algorithms for Static wireless sensor
Algorithms, 5 1 , 145-164.
networks. In Proceedingsofthe th
05 Global
IEEE
Ramanathan, R., & Rosales-Hain, R. (2000). Telecommunications Conference (Globecom 2007).
Topology control of multi-hop wireless networks Extended version to appear in IEEE Transaction on
using transmit power adjustment. In Proceedings Parallel and Distributed Systems (TPDS), 2008.
of the IEEE INFOCOM.
Wang,Y.Wang,
, W.Li,
&, X.Y.- Efficient
.0 2 6 ) (
Sanchez, M., Manzoni, P., & Haas, Z. (1999). distributed low-cost weighted backbone formation
Determination of critical transmission range in ad- for wireless ad hoc networks. IEEE Transaction on
hoc networks. In Proceedings of the Multiaccess, Parallel and Distributed Systems (TPDS), 17(7),
MobilityandTeletrafficforWireless - Communica
681-693.
tionsMMT ( ’9. )9
Wang,D.Zhang,
, Q.Liu,
& , J.Self- .0 2 6 ) ( protec -
Seddigh, M., Gonzalez, J. S., & Stojmenovic, I. tion for wireless sensor networks. In Proceedings
(2002). RNG and internal node based broadcast- oftheIEEEICDCS026.
ing algorithms for wireless one-to-one networks.
Wattenhofer, R., Li, L., Bahl, P., & Wang, Y.-M.
ACM Mobile Computing and Communications
(2001). Distributed topology control for wireless
Review, 5 (2), 37-44.
multihop ad-hoc networks. In Proceedings of the
Stratil, H. (2005). Fault tolerant topology control IEEE INFOCOM 2001.
with unreliable failure detectors. In Proceedings
Wu, J., & Li, H. (1999). On calculating connected
of the 17th International Conference on Parallel
dominating set for efficient routing in ad hoc
and Distributed Computing and Systems.
wireless networks. In Proceedings of the Third
Thallner, B., & Moser, H. (2005). Topology control International Workshop on Discrete Algorithms
for fault-tolerant communication in highly dynamic and Methods for Mobile Computing and Com-
wireless networks. In Proceedings of the Third munications.
International Workshop on Intelligent Solutions
Wu, J., & Li, H. (2000). Domination and its ap-
in Embedded Systems.
plications in ad hoc wireless networks with unidi-
Fault Tolerant Topology Design for Ad Hoc and Sensor Networks
rectional links. In Proceedings of the International under single or k node/link failures simultane-
Conference on Parallel Processing. ously.
Xing, G., Wang, X., Zhang, Y., Lu, C., Pless, R., K-Connectivity: If a network (graph) has k-
& Gill, C. (2005). Integrated coverage and con- connectivity, it means the it is k-connected, that is,
nectivity configuration for energy conservation given any pair of wireless devices (nodes), there
in sensor networks. ACM Transactions on Sensor are at least k disjoint paths to connect them.
Networks, 1(1), 36-72.
K-Coverage: A sensor network achieves k-
Yang, S., Dai, F., Cardei, M., & Wu J. (2006). On coverage if every location is covered by at least
connected multiple point coverage in wireless k different sensor nodes, that is, every location
sensor networks. Journal of Wireless Information is within the sensing range of at least k different
Networks, 13(4), 289-301. sensor nodes.
Zhang, H., & Hou, J. (2005). Maintaining sensing Power Control: Controls the network topology
coverage and connectivity in large sensor networks. by adjusting the wireless device’s transmission
Ad Hoc and Sensor Wireless Networks: An Inter- range to minimum energy consumption while
national Journal, 1(1-2), 89-123. maintaining a topology that is connected or has
certain desired properties.
Zhou, Z., Das, S., & Gupta, H. (2004). Connected k-
coverage problem in sensor networks. In Proceed- Self-Protection: A sensor network is p-self-
ings of the International Conference on Computer protected, if at any moment, for any wireless sen-
Communications and Networks. sor (active or nonactive), there are at least p active
sensors that can monitor it.
Zhou, Z., Das, S.R., & Gupta, H. (2005). Fault
tolerant connected sensor cover with variable Topology Control: Let each wireless device
sensing and transmission ranges. In Proceedings locally select certain neighbors for communica-
oftheIEEEMASS.502 tion, while maintaining a topology that can support
energy efficient routing and improve the overall
network performance.
Virtual Backbone: A connected backbone
kEy tErMs formed by a subset of wireless nodes selected to
perform communication tasks for the other nodes
Fault Tolerance: If a network is fault tolerant and the whole network.
or k-fault tolerant it means the network can survive
Section IV
Security in Wireless PAN/LAN/
MAN Networks
Chapter XLI
Evaluating Security Mechanisms
in Different Protocol Layers for
Bluetooth Connections
Georgios Kambourakis
University of the Aegean, Greece
Angelos Rouskas
University of the Aegean, Greece
Stefanos Gritzalis
University of the Aegean, Greece
AbstrAct
Security is always an important factor in wireless connections. As with all other existing radio technolo-
gies,theBluetoothstandardisoftencitedtosufferfromvariousvulnerabilitiesan
while attempting to optimize the trade-off between performance and complementary services including
security. On the other hand, security protocols like IP secure (IPsec) and secure shell (SSH) provide
strong,flexible,lowcost,andeasytoimplementsolutionsforexchangingdata - overinsecur
cation links. However, the employment of such robust security mechanisms in wireless realms enjoins
additional research efforts due to several limitations of the radio-based connections, for example, link
bandwidth and unreliability. This chapter will evaluate several Bluetooth personal area network (PAN)
parameters, including absolute transfer times, link capacity, throughput, and goodput. Experiments
shall employ both Bluetooth native security mechanisms, as well as the two aforementioned protocols.
Through a plethora of scenarios utilizing both laptops and palmtops, we offer a comprehensive in-depth
comparative analysis of each of the aforementioned security mechanisms when deployed over Bluetooth
communication links.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
quadruple in number between now and 2008, from link layer. Virtually all Bluetooth devices support
under 100 million to about 440 million. Bluetooth this feature, and it is, in most cases, considered to
enabled devices are used in several different envi- be adequately secure. However, this may not be
ronments and cover a wide range of applications. applicable for all deployment scenarios. In order to
For instance, for mobile applications, the device establish a secure channel with another Bluetooth
periodically connects to the network to download device, a preshared secret called PIN is required. A
music,totransferfiles,ortosynchronize withone’s
symmetric key is generated from this PIN. On cus-
desktoponcalendarandotherfiles.Consequently, tomer devices this PIN typically consists of four or
the safety and security of these applications, for fivedigits.Supposingawholepiconetnetworkwould
instance, the security of the private information utilize this PIN to encrypt its communication, anyone
stored on the devices, becomes a major issue. By acquiring this PIN could theoretically decrypt all
attacking actively or passively the communica- communication. On top of that, in applications like
tion link, aggressors could obtain personal and VoIP that mandate IP connectivity to access points
also important business data. However, security (APs), the encryption would end at the AP, which
features (Gehrmann, Persson, & Smeets, 2004) means that the AP, or any host that can manipulate
must be carefully considered and analyzed in order the communication between the Mobile Device and
to decide whether Bluetooth technology indeed the other end, can expose the data (see Figure 1).
provides the right answer for any particular task Thus, it is obvious that Bluetooth encryption is not
or application. well suited for all applications which may exploit
The Bluetooth standard has been long criticized Bluetooth connections.
forvariousvulnerabilitiesandsecurity - Under inefficien
these circumstances and for certain
cies, as its designers are trying to balance between classes of security sensitive applications deployed
performance and complementary services includ- in Bluetooth PAN networks, the investigation of
ing security. So far, both the Bluetooth Special complementary and advanced security protocols
Interest Group (SIG) (Bluetooth SIG, 2003) and apart from Bluetooth’s native security mechanisms,
severalresearchershavemadesignificant - even if contribu
deployed as an interim countermeasure, is
tions on Bluetooth security aspects, discovering an interesting research issue. On the other hand, as
numerous vulnerabilities and potential weaknesses Bluetooth wireless technology is targeting devices
and proposing solutions (Adam, 2003; Gehrmann, with particular needs and constraints (e.g., process-
& Nyberg, 2002; Jacobson & Wetzel, 2001; Persson ing power and battery consumption) the trade-offs
& Manivannan, 2003; Shaked & Wool, 2005). For between security services and performance must be
example, the Bluetooth pairing procedure has been carefully considered. Furthermore, considering that
anticipated to be weak under certain circumstances. radio links in general suffer from limited bandwidth
Moreover, other categories of threats, either active and are unreliable by nature, performance issues
or passive, have also been investigated, including must be thoroughly investigated to make a decision
ad hoc security issues, malicious software like whether certain security protocols and their mecha-
“Cabir,” war-nibbling, and so forth. nisms are advantageous over Bluetooth connections,
An obvious choice for any Bluetooth application delivering robust and agile security services within
would be to use Bluetooth encryption provided at tolerable service response times.
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
During the last few years, several researchers Experiments shall employ both Bluetooth native
have examined various Bluetooth security param- security mechanisms as well as the two aforemen-
eters and some of them do explore performance tioned protocols. Through a plethora of scenarios,
parameters (e.g., Chakraborty, 2000; De Morais utilizing both laptops and palmtops, we intend
Cordeiro, Sadok, & Agrawal, 2001; Francia, Kilaru, to offer a comprehensive in-depth comparative
Le Phuong, & Vashi, 2004; Golmie & Rebala, 2003; analysis of each of the aforementioned security
Howitt, 2002; Karnik & Kumar, 2000; Kitsos et mechanisms when deployed over Bluetooth com-
al., 2003; Lim et al., 2001; Miorandi, Caimi, & munication links.
Zanella, 2003; Wang, Arumugam, & Krishna, The rest of the chapter is structured as fol-
2002). However, to the best of our knowledge, none lows. The next section gives an overview of our
of these works focus on performance evaluation experimental test-bed related parameters and
comparing Bluetooth’s native security mechanisms procedures, while the third section presents the
with well-respected, strong security protocols like derived performance measurement results. The
IPsec and SSH. forth section offers an analytical discussion over
The chapter will focus on the performance of the conducted results. The chapter finishes wit
existing protocols and mechanisms rather than on some concluding thoughts and future directions
security itself, estimating the performance of both of this work.
the built-in Bluetooth security mechanisms, namely
security modes, and two other standard security
protocols operating at different layers of the TCP/IP ExPErIMEntAl frAMEwork
protocol suite, namely SSH and IPsec. Protocols dEscrIPtIon
likeSSHandIPsecproviderobust,exible, fl costless,
and easy to implement solutions for exchanging The experimental topology consists of two pairs
data over insecure communication links. However, of machines. The first pair of Bluetooth devices
although their deployment is a well established and employs a laptop and a palmtop machine, while
accustomed practice in the wireline world, more the other consists of two similar laptop machines.
research effort is needed for wireless links, due to The members of each pair are located at 10 meters
the several aforementioned limitations. Depending apart and connected via Bluetooth adapters (or
on the scenario involved, the user may utilize SSH built in Bluetooth chip), thus forming a small two-
or IPsec security services, either individually or member wireless PAN (WPAN) or piconet. The
in combination with Bluetooth security modes, main components’ characteristics, both software
allowing applications to communicate securely, and hardware, are presented in Table 1. To estimate
constructing a secure tunnel. Thus, in a sense, the the performance of the Bluetooth network, the data
whole procedure can also be seen as the deployment were transmitted from one network node (server)
of small VPNs in Bluetooth PANs. Note however, to the other (client). Hence, in order to record the
thattheefficiencyoftheSSHandIPSecdepends incoming and outcoming packets between the cor-
mainly on the performance of the used end-system. responding network entities and to calculate the
On the contrary, Bluetooth security native modes network performance parameters we utilized on
utilize the hardware encryption of the Bluetooth the server side the well known network analyzer
chip, thus performance depends heavily on the “ethereal” (www.ethereal.com), version 0.10.12,
chip per se. This situation will allow us to make which in turn uses the “tcpdump” tool. In addi-
several observations about different layer security tion, for the Linux environment, we employed
mechanisms when deployed over dissimilar user theBlueZofficialLinuxBluetoothprotocolstac
devices. (www.bluez.org), which provides support for the
Specifically, the chapter will evaluate several
core Bluetooth layers and protocols.
personal area network (PAN) parameters, includ- Bluetooth supports three different security
ing transfer times, link capacity, and throughput. modes called security modes I, II, and III, but in
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
Palmtop Client
Model HPiPAQh540
Processor 400 MHz Intel XScale PXA250
RAM 64 MB
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
Figure 2. Average metric values for network parameters measured/Bluetooth Modes I and III
0.0
0.0
0.0 .
seconds
0.0
0.0
0.
0.0
Mode I
0.0
Mode III
.
0.0
. MB MB 0. MB MB
file size
0. 0.
.
. 0.0 0.
kbps
.
. .
. .0
.0
. .0
.
.
Mode I .0 .0 Mode I
. .
. Mode III Mode III
.
.0
.
. MB MB 0. MB MB
. MB MB 0. MB MB
file size
file size
0
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
decreased. Measurements were gathered during Moreover, encryption algorithms are applied
repeated FTP file transfers, between during the laptop
the transaction for mode III and as a result
server and the PDA client from the one hand and the overall transfer time is increased. We can also
between the laptop client and server from the other. perceivethatthelargerthefilesizeis,thelong
Each file was transferred twelve times the and only
TTdifference betweenmodeandmodeis
average values were recorded. In all scenarios, expected to be. This situation is also depicted in
the ping response times between client and server the respective plot of Figure 2. In general, these
were varying among 19.7 and 21.8msecs. Due measurements advocate that mode I utilizes the
to space limitations, in the following firstbetter
network three than mode III. Because of the
subsections we present only the analytical results volatile nature of the wireless link, we also report
derived from the laptop server/PDA client, which standard deviation (SD) for the measured values
is without doubt the most interesting one, while in Table 2.
some indicative corresponding comparisons with
the other laptop client–server pair is exhibited in secure shell (ssH) Evaluation
the subsection titled “Comparison Between PDA
and Laptop Clients.” Experimental procedures for the SSH mechanism
(IETF, 2006; OpenSSH, 2006) consider the transfer
bluetooth security Modes I and III ofthesamefourfiles,asbefore,betweentheclient
Evaluation and the server. Table 3 displays the average times
of all metrics used, while Table 4 presents the cor-
Measurements for testing Bluetooth modes I and responding standard deviation values.
IIIweregatheredbytransferringfourdifferent files
As we can notice, SSH gives highly increased
between each client–server pair. The files’times
transfer sizes when compared to Bluetooth secu-
were 5.26, 7.0, 10.5, and 15 Mbytes, respectively. rity modes. For instance, we can spot a difference
Figure 2 provides a graphical representation of of +12.6 seconds to +13.4 seconds for the small-
these values comparing TT times achieved in the est file depending on the cipher used. Moreover,
PDA client–laptop server piconet. As we can eas- it is more than obvious that all the ciphers used
ily notice, the results are generally as expected, are more or less of the same performance. This
but there are some interesting points which need is easily proven if we examine for example the
furtheranalysis.Atfirst,theTTmetric isslightly
achieved transfer rates in each case, which shown
higherformodeas , wellastheATRishigher forslight differences.
very
modeThis
. happensbecausemodeIIImandates Another interesting assumption that we can
authentication (handshake) at the beginning of each make is that as the size of the file increases, the
transaction. Keep in mind that the handshake time achieved transfer rate and the throughput become
is included in TT too. bigger. This happens because of the procedure of
the authentication which takes place during the ini-
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
tial SSH handshake. In any case it should be noted and the server. IPsec uses two mechanisms (proto-
that the improvement in the achieved transfer rates cols) that may be used independently or jointly to
always compared to Bluetooth security mode I and securetheoutcomingtraffic,namelyauthenticati
induced by SSH, are negative for any scenario. This header (AH) offering data origin, connectionless
means that Bluetooth’s native mechanisms offer
better bandwidth and network utilization at almost
all cases examined. This remark is confirmed Tableby 5.%ATRdeteriorationforSSH
the values given in Table 5. Bluetooth
3DES AES128 RC4 Blowfish
Size Mode I
IPsec Evaluation 5.26 618.0 -14.8 -15.0 -15.2 -15.3
7 620.2 -10.4 -10.4 -10.6 -10.9
The procedure for the IPsec protocol (Kent & 10.5 621.2 -6.3 -6.2 -6.4 -11.0
Atkinson, 1998a, 1998b) considers once again the 15 621.4 -2.9 -2.9 -3.3 -3.3
transfer of the same four files between the client
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
TableAverage
6. valuesfornetworkparametersmeasured(IPsec)
5.26 MB 7 MB
TT ATR THR TT ATR THR
(sec) (Kbps) (%) (sec) (Kbps) (%)
AH_MD5 72.8 683.4 94.5 100.0 682.8 94.4
AH_SHA1 72.8 683.2 94.5 99.9 683.0 94.5
ESP_DES_MD5 74.4 681.0 95.0 102.0 686.6 95.0
ESP_3DES_MD5 73.8 681.0 95.7 102.2 685.2 94.8
ESP_DES_SHA1 74.2 680.0 95.2 102.0 686.6 95.0
ESP_3DES_SHA1 74.2 681.0 95.2 101.8 688.2 95.2
10.5 MB 15 MB
AH_MD5 145.9 682.6 94.4 205.2 683.4 94.5
AH_SHA1 145.7 683.4 94.5 205.1 683.8 94.6
ESP_DES_MD5 148.6 688.2 95.2 208.9 688.8 95.3
ESP_3DES_MD5 148.6 687.8 95.1 209.1 688.0 95.2
ESP_DES_SHA1 148.5 688.4 95.2 209.2 688.0 95.2
ESP_3DES_SHA1 148.6 688.0 95.2 210.5 683.6 94.6
data integrity, and optionally replay protection, vices. Note however that MD5 is not considered
and encapsulating security payload (ESP) offering secure anymore and is reported here for the sake of
confidentialityandprotectionagainst - trafficanaly
completeness. In total, we deployed six scenarios
sis. In our scenarios we utilized both mechanisms, as shown in Table 6.
using the MD5 and SHA1 algorithms for integrity First and foremost, all network metrics for IPsec
andDESandDES 3 tosupportconfidentiality - areser
remarkably concentrated. Standard deviation
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
TableATR
8.% improvementforIPsec
AH_ ESP_DES_ ESP_3DES_
File Bluetooth
MD5 SHA1 MD5 SHA1 MD5 SHA1
Size Mode_I
5.26 618.0 10.6 10.6 11.1 11.4 11.9 11.4
7 620.2 10.1 10.1 10.7 10.7 11.5 11.0
10.5 621.2 9.9 10.0 10.8 10.8 10.7 10.8
15 621.4 10.0 10.0 10.8 10.7 10.7 10.0
Figure 3. Comparison of network transfer times between Laptop and PDA clients
ssH transfer tim e (7 Mb) IPsec transfer tim e (7 Mb)
.0 0.
0.
. . 0.0
.0 0.0
. 0.0
. 0.
.0 0.
0.
seconds
0.
0.0
seconds
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
TT times remain very close to those of Bluetooth bits is encoded into a 15 bit codeword, and is capable
securitymodes.Thesamesituationisof confirmed
correcting single bit error in each block. Table
by the minimum standard deviation values that 9 shows the different ACL packet types and their
characterize the IPsec case. Also in this case, SSH properties. The values in the table are theoretical
gives the worst performance compared with IPsec without packet overhead. For example, over an
and Bluetooth native security modes. ACL link using DH5, one can send about 300 to
320 kbit/s of UDP user data, while the theoretical
limit is 433.9 kbit/s.
coMMEnts on tHE rEsults This means that in order to overcome the effect
of low and varying link quality on throughput,
This section provides a comparative view of the the selection of the optimal link layer packet size,
conducted results. Also, we attempt to provide a under estimated channel conditions, is crucial.
better explanation of the experiment outcomes. Indeed some research work (Chen, Kapoor, Sana-
But before that we must shortly discuss important didi, & Gerla, 2004) points this out by evaluating
characteristics of Bluetooth connections that may the “optimal” link layer packet size based on the
affect the performance of the connection. Bluetooth current bit error rate of the channel. Moreover, in
employs frequency hopping spread spectrum regions that Wi-Fi networks coexist with Bluetooth
(FHSS) to avoid interference. There are 79-23 in and because Wi-Fi and Bluetooth utilize spectrum
some countries-hopping frequencies, each having in different ways, they can cause considerable
a bandwidth of 1MHz. Frequency hopping is as- interference between each other (depending on
sisted with fast automatic repeat request ARQ)
( ,
the relative location of the 802.11b and Bluetooth
cyclic redundancy check (CRC), and forward error devices) (Yip & Kwok, 2004). By transmitting at
correction (FEC) to achieve high reliability on the the highest power level, Bluetooth class 1 devices
wireless links. All the data/control packet transmis- would create more interference than Bluetooth’s
sions are synchronized by the master. Slave units class 2 and class 3 devices, which transmit at
can only send in the slave-to-master slot after being lower power levels. Furthermore, because each
addressed in the preceding master-to-slave slot, Bluetooth PAN will occupy the entire ISM band,
with each slot lasting 625 microseconds. two or more coexisting Bluetooth PANs will oc-
For real-time data such as video, synchronous casionally collide, possibly causing loss of data
connection oriented (SCO) links are used, while packets. Of course, apart from implementation
for data transmission, asynchronous connectionless issues (e.g., protocol stacks), the aforementioned
link (ACL) links are employed. There are several parameters are closely related and can affect real
ACL packet types, differing in packet length and Bluetooth connections and the results gathered
whether they are FEC coded or not. The FEC cod- in this chapter. For instance, all experiments
ing scheme used in ACL DM mode is a shortened were conducted inside the coverage area of the
Hamming code, where each block of 10 information University’s hot-spot.
Table9.PackettypesforBluetoothACLConnections(theoreticalvalues)
Mode FEC Packet (bytes) Size (kbps) Symmetric (kbps) Asymmetric (kbps)
DM1 2/3 0-17 108.8 108.8 108.8
DM3 2/3 0-121 258.1 387.2 54.4
DM5 2/3 0-227 286.7 477.8 36.3
DH1 no 0-27 172.8 172.8 172.8
DH3 no 0-183 390.4 585.6 86.4
DH5 no 0-339 433.9 723.2 57.6
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
0
ESP_DES_SHA
rying about. According to some other works (e.g.,
0
0
FreeSwan, 2002) utilizing low-end machines, a
0 60 MHz Pentium running a host-to-host tunnel
0
00
to another machine shows an FTP throughput of
0 slightly over 5 Mbit/s either way. Thereafter, we
0 file sizes
0 can conclude that in our case the IPsec mechanisms
. MB MB 0. MB MB running on “relatively” low-end processors is not
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
really a bottleneck. The overall performance is protocol overhead induced. These screens illustrate
rather affected most by the quality of the Bluetooth the overall network statistics for Bluetooth mode III
link itself, meaning that due to better utilization of and IPsec AH_MD5, respectively. The “Data” sec-
the link and possibly due to optimal ACL scheme tion corresponds to the overall percent of data that
and lower packet drop rate, IPsec performs slightly were sent from the server towards the PDA client
better than native Bluetooth modes do. forthe6MB 2. 5 file.WeobservethatIPsecneeds
In Figure 6, we present some indicative ethereal considerably lower percent of TCP data packets to
screens that attest why in practice IPsec performs complete the transaction (49.63%) than Bluetooth
better from the other two in terms of the additional mode III which requires 66.24%. Note, that exclud-
ing ARP messages, the remaining percent corre-
sponds to control information sent from the client
Figure 5. Comparison of networkthroughputfor
to the server including ACKs, retransmissions, and
six different scenarios (PDA client)
so forth. Therefore, IPsec utilizes the link better,
Comparison of Throughput for different scenarios achieving higher performance.
Another important factor that may affect the
conducted results is the operating system itself. For
that we performed partial measurements using the
0
Windows XP operating system in the laptop client,
while keeping all the other test-bed parameters
unchanged. Under this setting, we observed sig-
Percentage (%)
nificantlylesserpacketretransmissionsandlog
fairly better times. For example, for Bluetooth mode
IIIandfilesizeMB 5. 0 1 wegotanaveragetransfer
0
MODE I time of 150 seconds, namely 5 seconds better than
MODE III
DES
Linux. One can presume that the Bluetooth stack
Blowf ish is better implemented in Windows than in Linux or
AH_SHA
ESP_DES_SHA
the Bluetooth adapters that we used perform better
. MB MB file sizes 0. MB MB
under Windows, perhaps due to their drivers’ imple-
mentation. Nevertheless, a detailed analysis of this
Figure6.Etherealscreenswithprotocolhierarchystatistics(PDAclient)
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
This chapter addresses performance issues for De Morais Cordeiro, C., Sadok, D., & Agrawal, D.
Bluetooth host-to-host connections. Three distinct P. (2001). Modeling and evaluation of Bluetooth
categories of scenarios were used to test whether MAC protocol. In Proceedings of Tenth Interna-
well respected security mechanisms of Internet tional Conference on Computer Communications
and application layers of the TCP/IP suite are ad- and Networks (pp. 518-522).
vantageous when deployed over Bluetooth PANs Francia, G., Kilaru, A., Le Phuong, & Vashi, M.
compared to Bluetooth native security modes. The (2004). An empirical study of Bluetooth perfor-
results disclose that IPsec better utilizes the wireless mance. In Proceedings of the 2nd Annual Confer-
link and thus provides radically improved transfer ence on Mid-South College Computing, ACM
times when compared with SSH. Native Bluetooth International Conference Proceeding Series (Vol.
modes service times are close to those of IPsec’s 61, pp. 81-93).
thus significantly better from SSH ones. On the
other hand, there is an important disadvantage FreeSwan. (2002). Performance of FreeSwan.
which is the high amount of the memory resources Retrieved October 14, 2007, from http://www.
IPsec consumes. freeswan.org/freeswan_trees/ freeswan-1.95/doc/
As future work we would like to expand this performance.html
study, investigating the performance of asymmetric Gehrmann, C., & Nyberg, K. (2002). Enhancements
cryptography mechanisms, for example, public key to Bluetooth baseband security. Ericsson Mobile
certificates,andtosupportauthentication services
Communcations in
AB, Ericsson Research.
the context of such protocols that promote automatic
keying. Another direction is to detect how much Gehrmann, C., Persson, J., & Smeets, B. (2004).
energy is required for this sort of secure connec- Bluetooth security. Artech House Publishers.
tions, as mobile devices can not afford batteries
Golmie, N., & Rebala, O. (2003). Techniques to im-
with unlimited capacity.
prove the performance of TCP in a mixed Bluetooth
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
and WLAN environment. In Proceedings of IEEE OpenSSH. (2006). OpenSSH project home page.
International Conference on Communications, Retrieved October 14, 2007, from http://www.
ICC, Anchorage, AK, (pp. 1181-1185). openssh.org
Howitt, I. (2002). Bluetooth performance in the Persson, K., & Manivannan, D. (2003). Secure con-
presence of 802.11b WLAN. IEEE Transactions nections in Bluetooth scatternets. In Proceedings of
onVehicularTechnology, 15
(6), 1640-1651. the63 th Annual Hawaii International Conference
on System Sciences (HICSS ‘03) (p. 314b).
IEEE. (2002). Wireless PAN medium access control
MACandphysicallayerPHYspecification. IEEE Shaked, Y., & Wool, A. (2005). Cracking the Blue-
standard.5 1 2.80 New York: IEEE. Retrieved Oc- tooth PIN. In Proceedings of the 3rd ACM Interna-
tober 14, 2007, from http://www.ieee802.org/15/ tional Conference on Mobile Systems, Applications,
and Services (pp. 39-50). ACM Press.
IETF. (2006). IETF secure shell (secsh) working
group. Retrieved October 14, 2007, from http:// Wang, F., Arumugam, N., & Krishna, G. H. (2002).
tools.ietf.org/wg/secsh/ Performance of a Bluetooth piconet in the presence
of IEEE 802.11 WLANs. In Proceedings of the
Jacobson, M., & Wetzel, S. (2001). Security weak-
13th IEEE International Symposium on Personal,
nesses in Bluetooth. In Proceedings of the Confer-
Indoor and Mobile Radio Communications (Vol.
ence on Topics in Cryptology: The Cryptographer’s
4, pp. 1742-1746).
track at RSA (LNCS 2020, pp. 176-191).
Yip, H. K., & Kwok, Y-K. (2004). A performance
Karnik, A., & Kumar, A., (2000). Performance
study of packet scheduling algorithms for coordi-
analysis of the Bluetooth physical layer. In Proceed-
nating colocated Bluetooth and IEEE 802.11b in
ings of IEEE International Conference on Personal
a Linux machine. In Proceedings of the 7th Inter-
Wireless Communications (pp. 70-74).
national Symposium on Parallel Architectures,
Kent, S., & Atkinson, R. (1998a). IP authentication Algorithms and Networks (ISPAN’04).
header (AH) (IETF RFC 2402).
Yujin, L., Jesung, K., Sang, L. M., & Joong, S. M.
Kent, S., & Atkinson, R. (1998b). IP encapsulating (2001). Performance evaluation of the Bluetooth-
security payload (ESP) (IETF RFC 2406). based public Internet access point. In Proceedings
ofthe5 1th International Conference on Information
Massey, J., Khachatrian, G., & Kuregian, M. (1998). Networking (pp. 643-648).
Nomination of SAFER+ as candidate algorithm for
the advanced encryption standard (AES). In Pro-
ceedings of the1st Advanced Encryption Standard
Candidate Conference. Retrieved October 14, 2007, kEy tErMs
from www.ee.princeton.edu/ ~rblee/safer+
Bluetooth: An industrial specification for
Miorandi, D., Caimi, C., & Zanella, A. (2003).
wireless personal area networks (PANs). Bluetooth
Performance characterization of a Bluetooth pi-
provides a way to connect and exchange infor-
conet with multi-slot packets. In Proceedings of
mation between devices such as mobile phones,
the WiOpt’ 03.
laptops, PCs, printers, digital cameras, and video
Misic, J., Chan, K. L., & Misic, V. B. (2005). TCP game consoles via a secure, globally unlicensed
trafficinBluetooth:Performance .2 1 and
- dimen
short-range radio frequency.
sioningofow fl control. In
Proceedings of WCNC
Goodput: The application level throughput,
’05 (pp. 1798-1804).
that is, the number of useful bits per unit of time
Evaluating Security Mechanisms in Different Protocol Layers for Bluetooth Connections
forwarded by the network from a certain source and IP header integrity (with some cryptography
address to a certain destination, excluding protocol algorithm also nonrepudiation). On the other hand,
overhead retransmissions, and so forth. the encapsulating security payload (ESP) protocol
provides data confidentiality, payload message) (
IEEE 802.15: The IEEE 802.15 WPAN working
integrity, and with some cryptography algorithm
group focuses on the development of consensus
also authentication.
standards for personal area networks or short dis-
tance wireless networks. These WPANs address Network Performance: The level of quality of
wireless networking of portable and mobile com- service of a telecommunications resource, protocol,
puting devices such as PCs, PDAs, peripherals, cell or product.
phones, pagers, and consumer electronics, allowing
Secure Shell or SSH: A set of standards and
these devices to communicate and interoperate with
an associated network protocol that allows estab-
one another. The IEEE Project 802.15.1 has derived
lishing a secure channel between a local and a
a wireless personal area network standard based on
remote computer. It uses public-key cryptography
theBluetoothv11Foundation . Specifications.
to authenticate the remote computer and to option-
IPsec: IPsec (IP security) is a suite of protocols ally allow the remote computer to authenticate the
for securing Internet protocol communications by user.SSHprovidesconfidentialityandintegrityof
encrypting and/or authenticating each IP packet data exchanged between the two computers using
in a data stream. IPsec also includes protocols for encryption and MACs.
cryptographic key establishment. There are two
Throughput: The amount of digital data per
modes of IPsec operation: transport mode and
time unit that are delivered to a certain terminal
tunnel mode. IPsec is implemented by a set of
in a network, from a network node, or from one
cryptographicprotocolsforsecuringpacketows. fl
node to another, for example, via a communica-
Specifically,the authentication header (AH) pro-
tion link.
tocol provides authentication, payload (message),
0
Chapter XLII
Bluetooth Devices Effect on
Radiated EMS of Vehicle Wiring
Miguel A. Ruiz
University of Alcala, Spain
Felipe Espinosa
University of Alcala, Spain
David Sanguino
University of Alcala, Spain
AbstrAct
The electromagnetic energy source used by wireless communication devices in a vehicle can cause elec-
tromagnetic compatibility problems with the electrical and electronic equipment on board. This work
is focused on the radiated susceptibility (electromagnetic susceptibility [EMS]) iss
methodforquantifyingtheelectromagneticinfluenceofwirelessradiofrequency(RF)tran
boardvehicles.Thekeytotheanalysisistheevaluationoftherelationbetweentheel
by a typical Bluetooth device operating close to the automobile’s electrical and electronic systems and
thefieldlevelspecifiedbytheelectromagneticcompatibility(EMC)directive204/1ECforradia
susceptibility tests. The chapter includes the model of a closed circuit structure emulating an automobile
electricwiresystemandthesimulationofitsbehaviourunderelectromagneticfield
to this a physical structure is designed and implemented, which is used for laboratory tests. Finally,
simulated and experimental results are compared and the conclusions obtained are discussed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
context, the present work appears in order to bring Taking advantage of the trend towards the use
up methods and results that contribute to establish- of DC voltage supplies of 36-42 volts instead of
ing the possible risks limit of the use of wireless the 12-14 volts currently used, an increase in elec-
devices inside the automobile, and more precisely tronics is being adopted to control key elements of
those based on Bluetooth technology. the automobile such as the steering, braking, and
To centre the problem, it is mentioned the acceleration. For example, the car uses a range of
tendencies in the automobile field that electricbet for the
actuators and also has an innovative driver
incorporation of new electrical and electronic sys- interface. The driver has all the vehicle functional-
tems (X-by-Wire technology) (Leen & Hefferman, ity in a special steering wheel, which is used for
2002; Mazo, Espinosa, Awawdeh, & Gardel, 2005) acceleration and braking as well as for steering
front of the current mechanical systems, aspects of and gear shifting. The vehicle uses a conventional
automotive electromagnetic compatibility (EMC) engine for propulsion but electromechanical ac-
standard 2004/104/EC (2004) for evaluation of tuators for braking, clutching, and gear shifting
susceptibility/immunity in vehicles are detailed, (Larses, 2003).
itisjustifiedtheinteresttofocusthe Withstudy onthe
the progress of X-by-Wire technology,
extended Bluetooth wireless communication tech- in-vehicledatatrafficisalwaysgrowing. - Conven
nology. However there are nonregulated questions tionally, individual wire harnesses were used for
by the 2004/104/EC concerning the use of Bluetooth data transfers between control units and their as-
devices what rise uncertainties around the risk sociated sensors or display devices. As the number
derived from its use. of control units and associated devices increase,
To get a better knowledge of this issue, we the number of wire harnesses and interconnec-
lay a few questions regarding the increase of the tions required is swelling. The in-vehicle local-area
electronic equipment role in the automobile, the network (controller area network [CAN], local in-
characteristics of commercial Bluetooth devices, terconnect network [LIN], and FlexRay) provides
some notes about the EMC European Directive an answer to this problem: it minimises the use of
involved in vehicles, and last but not least, some of individual wire harnesses for data exchanges and
the directive gaps concerning Bluetooth wireless reduces both interconnections and vehicle weight,
devices in this context. trying to improve consumption, power, security,
and comfort.
the Increase in Electrical and However, associated with these electronic
Electronic components in and communication innovations new sources of
Automobiles potential equipment failure appear, leading to the
necessity to continue working on both diagnosis
It is clear that nowadays on board electronic com- and prognosis in the automotive sector.
ponents play an important role on vehicles (Ban-
natyne, 2000; Leen & Hefferman, 2002; Mazo et bluetooth devices and Applications in
al., 2005), as much for the increase in the number Automobiles
of electronically controlled units (ECUs) as for the
complexity of the communication system Thefield
( presence of radio frequency transmitters in
buses) implemented. automobiles as a way for multiple wireless com-
Continuous development in the industrial auto- munication appliances continue to grow. Apart
mobile sector means that dynamic systems that have from the well known uses for the assistance and
traditionally been of a mechanical and hydraulic entertainment (GPS, laptops, PDAs, digital cameras,
nature, such as the steering, braking, and accelera- portable multimedia devices CD/DVD, etc.), others
tion are being replaced by electronic ones, which suchasremotediagnosis,trafficcontrol, - accidenta
leads to the proposal of networks such as X-by-Wire sistance, and so forth are being promoted (Campos,
with its own protocol (Mazo et al., 2005). Mills, & Graves, 2002; Mazo et al. 2005).
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
There are several wireless technologies (WiFi, Bluetooth technology, where a logic 1 level is rep-
DSRC, Zigbee, etc.) available to automobile manu- resented by a positive frequency shift and a logic 0
facturers and users, but at present the most widely level is represented by a negative frequency shift.
used is Bluetooth. Although the functionality and Keeping all this in mind, a Bluetooth transmitter,
operativity of each technology is different, they from an EMC viewpoint, can be considered as
have in common the incorporation of a transmitter an interfering RF source in the 2.4 to 2.4835 Ghz
or an electromagnetic energy source in the environ- frequency band.
ment in which they operate. This extra energy can Two levels of Bluetooth technology application
cause any kind of failure on equipment situated can be considered inside an automobile: Bluetooth
close to the transmitter, as is the case of ECUs on integrated into the vehicle at a system level and
board a vehicle where the driver introduces several Bluetooth at a user device level. From a user device
wireless devices. At the same time, the metal cage level point of view, Bluetooth technology allows
ofthevehiclecanactasaconcentrating reflector,
connecting inside the vehicle electronic mobile
amplifying radio frequency (RF) density emit- devices such as PDAs, laptops, GPSs, handsfree
ted by different radiation sources to higher and sets, or cell phones, as seen in Figure 1.
potentially more dangerous levels. The concept of ‘Bluetooth integrated into the
Bluetooth is an open technology that works vehicle at a system level’ is used when a Bluetooth
with low power and is designed for short range network can provide a functionality and versatility
(10 m-100 m), leading to being widely used in similar to a vehicle control cabled network (e.g.,
transport applications in general and in automobiles CAN bus) which is nowadays the most widely
in particular. The operating frequency range is extended solution (network and protocol) in ve-
withintheindustrial,scientific,andhicles. medical(ISM)
bandwidth used of 2.4 GHz to 2.4835 GHz. The
frequency range is divided into 79 individual RF directive 2004/104/cE for the
channels, each one separated by 1MHz. The output Assessment of EMc in vehicles
levels are divided into three classes (SIG, 2006):
class I (100 mW, +20 dBm), class II (2.5 mW, +4 In Europe, EMC activity in automobiles is regu-
dBm) and class III (1 mW, 0 dBm). lated by the recent directive on electromagnetic
The equation that determines the frequency for
each one of the channels is as follows:
Figure 1. Typical applications of Bluetooth in
F(MHz)=2+40 k where, k =….0 87 . vehicles
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
(equipment under test [EUT]). A metallic (copper from different wireless devices, the following
or galvanised steel) ground plane of a minimum of observations remain to be made:
0.5 mm thickness and 1000 x 2000 mm (WxL) area
has to be located 900±10mmabovetheoor. fl • Thespecificationsoftheradiated - susceptibi
Each one of the power supply cables must be ity test, mentioned in the directive using the
connectedtotheEUTthroughanartificialnetwork semianechoic chamber method to carry it
(AN) [5] of 5 µH/50 Ω to get a reference impedance out, determine that the range of frequencies
(usually 50 Ω). The ANs should be placed over the to be tested is from 20 MHz to 2000 MHz.
ground plane and connected to it. Therefore, the directive does not make it
The electric or electronic equipment under test compulsory to test electrical and electronic
has to be placed on a dielectric material [7] of low automobile equipment at frequencies higher
permeability (er ≤ 1.4) and 50±5 mm thickness. than 2 GHz. Bluetooth works at frequencies
One of the EUT faces has to be placed 200±10 between 2.400 and 2.4835 GHz, and hence
mm from the edge of the ground plane. The cables an electronic subsystem or component that
connected to the EUT are exposed along 1500±75 complies with the directive does not guarantee
mm to the electromagnetic radiation generated by electromagnetic compatibility in the presence
the antenna. They are placed on the same dielectric of a Bluetooth device.
material as the EUT 100±10 mm away from the • The electrical field levels specified by the
edge of the ground plane. directive to be tested in the 20 to 2000 MHz
The antenna that generates the electric range are field
of 30 V/m for 90% of the frequency
has to be located at a 100±10 mm height above the band and 25 V/m for the whole frequency
groundplane,thatismm 0 1 abovetheoor fl and band. It is foreseeable that in the near future
also 1000 ± 10 mm away from the EUT cables. thedirectivewillbemodifiedtoincreasethe
The test procedure can be divided in two range of frequencies to at least include the
steps: operating frequencies used by the wireless
devices available on the market to automobile
• A first one where the electric field level users.
calibration is done (without EUT, cables nor • The test method specified in the directive
ANs). corresponds to a situation in which the trans-
• A second in which the test is taken place mitter is not situated close to the equipment
based on the levels obtained in the preceding being studied. This leads to the use of a
step. plane wave in the test setup, which requires
one or more transmitter antenna working in
In the calibration stage, an isotropic probe 150 far field. However, in this particular case it
± 10 mm above the ground plane and 100 ± 10 mm iseasytofindBluetoothtransmitterswith
away from the edge is used. The calibration is done the automobile’s own electrical and electronic
forbothhorizontalandverticalelectric field.
system or another ones (introduced by users)
operating a few centimetres away from the
Aspects of bluetooth devices that are electronic systems and wires of the vehicle’s
not considered in directive 2004/104/ electrical installation.
Ec
With this background, the present work is
Having mentioned some of the properties of Blue- developed with the aim of determining whether a
tooth, as well as the EMC regulation applicable to device that complies with the requirements of the
the automobile context, and focusing the study on EMC automobile directive presents any possible
the assessment of the susceptibility of the electrical electromagnetic compatibility risks to Bluetooth
and electronic components on board to radiations transmitters located a short distance away. In addi-
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
tion a measure procedure is proposed for assessing cal-field levels of 52 V/m, which is close to the
the degree of interrelation between the electronics limit level indicated by EMC standard.
on board and the Bluetooth devices incorporated
by vehicles’ users.
ProPosEd MEtHod for
related Published works AssEssIng tHE PossIblE
EffEcts of bluEtootH dEvIcEs
In the technical literature, negative examples of usEd InsIdE vEHIclEs
vehicle-communication system interaction can
be found, as in the case of ‘Project 54’ (Kun, Taking into account previous published studies
Lenharth, & Millar, 2004), in which the origin (Schoof et al., 2003; Stadtler et al., 2002) and the
and possible solutions to random signal reception EMC specifications in the automotive context,
byappliancesnormallyusedbytraffic - police
certain of questions must be made in relation with
ficersareanalysed.Thereareothermore complex
the incorporation of Bluetooth transmitters in
cases, such as the one stated by Tatoian (2005), in automobiles by either the manufacturer or the us-
which the possibility of equipping the police with ers of the vehicle. As mentioned earlier, the EMC
electromagnetic systems in order to block cars directive (2004/104/EC EMC, 2004) does not
in conflictive traffic conditions is assessed. require radiated The susceptibility tests above 2 GHz
impact of the transient surrounding perturbations andrestrictsthefieldleveloftheequipmentun
(especially due to electromagnetic interferences) test to 25 or 30 V/m. Moreover, in present day traf-
on the dependability of systems distributed on ficconditions,itiseasytofindseveralBluetoot
TDMA-based networks in automotive domain is transmitters inside the cabin of the vehicle and
analysed in by Campos et al. (2002). within a few centimetres of the vehicle’s cables
All of this justifies the interest and of automobile
electronic systems.
manufacturers in regulating the incorporation of
new information and communication technologies.
fundament of the Proposed Measure
In Australia for example, exists the FCAI (1997)
initiative, in which the automobile industry and
The setup for the radiated susceptibility test for
the nation’s government are working together to
an automobile component in accordance with
establish the emission and susceptibility limits
ISO regulation 11452-2 (ISO 11452-2, 2004) was
to which new vehicles must conform in order to
represented in the previously in the chapter. This
guarantee the compatibility of the electronics on
setup contains similarities to the actual layout of
board the vehicle with the multimedia equipment
the components inside a vehicle. For example, the
for drivers available on the market. EMC centres
equipment under test [1], wiring [2], simulators [3],
work along the same lines in association with au-
and power supply [4], are placed on a ground plane
tomobile manufacturers such as Audi or Renault
that emulates the chassis of the vehicle. The length
(Renault, 2006).
of wire exposed to the radiation is 1.5 m, being the
On the other hand, there are several previous
usual length of cable on board a vehicle.
research works related to this subject. Stadtler
In this context, a study is made of the radio
Schoof, and Haseborg (2002) calculate that a 100
frequency current that is induced in the cable [2]
mWBluetoothtransmitterinfar-field - m)1 ( gener
when it is submitted to the action of a Bluetooth
atesaelectric-fieldlevelofV/5 42. m,thatmeansa
transmitterinnearfield,thatistosaywithafe
quite lower level to the one used in EMC test ac-
centimetres between transmitter and cable.
cording to the 2004/104/EC standard. Nevertheless,
Once the current induced in the EUT cable by
simulations results presented by Schoof, Stadtler,
the Bluetooth transmitter has been determined, the
and Haseborg (2003) inside a cockpit vehicle with
electrical field level that must be applied dur
a 100 mW Bluetooth transmitter achieved electri-
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
the radiated susceptibility test in order to induce the transmission frequency of the device is used to
a current value identical to that induced by the measure the induced current. The resistance of 50
Bluetooth transmitter a few centimetres away Ω that corresponds to the EUT is provided by the
is analysed. If the electric field level required
spectrum toinput; as an impedance of 50 Ω
analyser
induce the current value is under the 25 or 30V/m at the other end of the cable, a load 50 Ω with an
specifiedby/04EC1 /042 EMC,itwillconfirmthat N connector is used. The analyser will register the
allequipmentthatfulfiltheEMCdirective should
voltage value at its input terminals and by direct
not present compatibility problems. However, if relation the value of current induced in the cable
theelectricfieldlevelissimilarto isor higherthan
determined.
the one specified by EMC directive, there is no
guarantee that the automotive component will not design of the Interference Pattern
have electromagnetic compatibility problems in
close proximity to a Bluetooth transmitter. An electromagnetic radiation source in the 2.400
to 2.483 GHz range has been designed with adjust-
able power between 1 and 100 mW, emulating the
PrActIcAl IMPlEMEntAtIon And behaviour of class I, II, and III Bluetooth transmit-
rEsults ters. The radiation source consists of an antenna
connected to a R&S SMR20 RF generator. The
Following the guidelines indicated by Stadtler et al. antenna design is based on a commercial radio
(2002), the setup shown in Figure 3 is used for the frequency module (SparkFun, 2005), simulated
present research work. The impedance presented using FEKO and implemented on a PCB.
by the EUT [1] between the cable and the ground
plane [6] is modelled as an ideal impedance of 50 Elements of the setup
Ω. At the other end of the cable an ideal imped-
ance of 50 Ω represents the one corresponding Figure 4 shows the setup used to measure the
to the artificial network [5] or to other currentauxiliary
induced in the cable when the Bluetooth
equipment. transmitter is situated a short distance away. The
Inthefirstapproachatvalidatingthe right proposed
hand side of the cable is loaded with an im-
thesis the electromagnetic simulation tool FEKO pedance of 50 Ω, while the impedance of 50 Ω
(2005) is used. In the laboratory experimental phase, on the left hand side is provided by the spectrum
a R&S ESIB 26 spectrum analyser syntonised to analyser input (R&S ESIB 26), which is outside
Figure 3. Setup diagram of the test used to determine the current induced by a transmitter in near
field
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
the semianechoic chamber (Space Saver of ETS) (FP6001 AR) placed at a height of 10 cm above
during the test and is connected by means of an the ground plane and 10 cm from the edge facing
RG214 cable. The attenuation caused by the RG214 the antenna. The value of the current induced by
cable is corrected by the spectrum analyser. the radiation of the AT4000 AR antenna situated
To measure the induced current, the radiation at a distance of 1 m is constantly measured on the
source is placed in different positions with respect spectrum analyser. The power transferred to the
to the 1.5 m long cable. The measurements are antenna is varied until the induced current values
made with the transmitter facing the cable and in are identical to those obtained when the Bluetooth
various positions along its length. The transmit- transmitter was situated a few centimetres from
ter is placed at distances of 2 cm, 5 cm, and 8 cm the same cable. This is the way to determine the
from the cable and at heights with respect to the electric field level that induces the same curr
ground plane of 0.6 cm and 3.7 cm. as a Bluetooth transmitter in the conditions previ-
To determine the value of the electric field
ously described.
intensity (V/m), the setup represented in Figure 4
is used, corresponding to the radiated susceptibil- results
ity test for automobile components (2004/104/EC
EMC,.The
)0 2 4 electricfieldlevelisregistered In the following section, some of the results about
by means of an isotropic electric-field probe
the setups proposed in previous sections obtained
by both simulations and practical measurements
made in the laboratory are given, with the principal
aim of determining the electromagnetic compat-
ibility risks caused by commercial Bluetooth
Figure 4. Setup of the test used to measure the transmitters in automobiles.
current induced by a transmitter in near The FEKO field
tool is used to simulate a ground
(top). Setup used to determine the electric field
plane with a 150 cm cable above it at a height of 5
level (down) cm, with both ends loaded with a resistance of 50
Connecting spectrum Load 50 Ω
Ω. A monopole antenna connected to a generator
analyzer (EUT) was used as a transmitter in the simulation. The
simulations are made with the antenna transmitter
situated in the centre of the 1.5 m cable structure
and at distances of 2 cm, 5 cm, and 8 cm and at
heights above the ground plane of 0.6 cm and 3.7
Antenna and RF cm. In addition, the simulations are carried out
generator
(Bluetooth TX
Cable under taking into account the different power types (I, II,
test
simulated) andIII)specifiedbytheBluetoothtechnology.
Tables 1 and 2 represent a comparison between
Electric-field the results obtained with the FEKO simulation
probe
tool and those obtained in laboratory tests. First
of all, the results belong to a transmitter working
at 2.425 GHz and at a height above the ground
plane of 0.6 cm are presented. The table shows
the variation in the induced current as a function
of the distance that separates the transmitter from
Transmitter
antenna
the cable, and for three different power transmis-
sion (+20, +4, and 0 dBm). For example, in case
the class I transmitter is separated a distance of
2 cm from the cable, the simulated current value
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
is 1990 µA in contrast with the value of 1870 µA located at a distance of 2 cm and 5 cm from the
experimentally obtained. cable, and at a height above the ground plane of
Besides, one can see in Table 2 the comparison 0.6 cm. The same table shows the increase in the
between simulated and experimental induced cur- induced current due to the effect of different power
rent when the emission frequency is changed for class transmitter (class I, II, and III).
three Bluetooth devices (class I, II, and III) at a Toconclude,Figure5showstheelectricfield
distance of 5 cm and a height of 0.6 cm. levels that the structure being tested is submitted
On the other hand, Table 3 shows some of the to in order to induce the same RF currents as those
measurements obtained in the laboratory corre- produced if a Bluetooth transmitter is situated in
sponding to the current induced by the transmitter near field. The setup used for the test is the one
Table 1. Values obtained by simulation and experimentally of the induced current as a fun
transmitterdistance.(frequency245MHzandheight0.6cm)
Wire Induced Current
Power transmission Distance
Simulation (µA) Measurement (µA)
Bluetooth devices (cm)
2 1990 1870.0
+20 dBm
5 879 715.3
(Class I)
8 337 378.0
2 315 319.5
+ 4 dBm
5 139 123.0
(Class II)
8 53.3 62.2
2 200 203.4
0 dBm
5 87.7 78.8
(Class III)
8 33.5 43.3
Table 2. Values obtained by simulation and experimentally of the induced current as a fun
transmitterfrequency(distance5cmandheight0.6cm)
Induced Current
Power transmission Frequency
Simulation (µA) Measurement (µA)
Bluetooth devices (MHz)
2400 921 827.0
+20 dBm 2425 879 715.3
(Class I) 2450 941 604.0
2475 1060 645.0
2400 145 142.8
+ 4 dBm 2425 139 123.0
(Class II) 2450 148 104.8
2475 167 111.7
2400 91.1 90.8
0 dBm 2425 87.7 78.8
(Class III) 2450 93.8 67.5
2475 105 71.28
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Table 3. Measurement of the induced current as a function of the frequency and of the Bluetooth trans-
mitterlocation(height0.6cm)
FigureIdentical
5. inducedcurrentonthecableundertestbytheintensity - ofelectricfie
ing to the described test as well as Bluetooth transmitters working with variable distance and power
(dBm)
0
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
shown in Figure 4 (down). For example, a class I radiated susceptibility test according to a valid
transmitter (+20 dBm) located at a distance of 5 EMC directive for automobiles.
cm and at a height of 0.6 cm induces a current of In short, more consideration should be given
715 µA. In the same way, this transmitter situated to the electromagnetic interference generated by
at a distance of 2 cm induces a current of 1870 Bluetooth devices as they get closer to electrical
µA. Identical current values are induced when the and electronic circuits whose performance they
wire loaded by resistances of 50 Ω is exposed to a can affect, and even more so in confined spaces
uniformplanewavewithanelectricfield where level
multipleof sources of interference coexist,
42.3 V/m and 122 V/m, respectively. as is the situation with automobiles. The effect of
increasing the power of the transmitter or reducing
the distance between it and the wired elements of
futurE works the automobile is equivalent to submitting them to
increasingelectricfar-fieldlevels - inradiated
Once the above shown results are analyzed, the ceptibility tests in accordance with the 2004/104/
authors suggest to keep on evaluating the elec- EC EMC directive, which increases the risk of a
tromagnetic field generated from these kinds
failure in the system.
of wireless communication devices and others This work leads to support the need for the
alike, varying the setup conditions (relative cable prevailingEMCdirectivetobemodifiedinorder
and antenna location, cables, different antennas to assess and ensure the electromagnetic compat-
transmitting simultaneously, etc.). All this is done ibility of automobiles’ on board systems in the
comparing the results obtained from the simulation presence of wireless devices with a frequency
tools as well as from the experimental tests in the range above 2.0 GHz.
EMC laboratory.
It would also be interesting to study and evaluate
the amplifying effect due to the metallic structure AcknowlEdgMEnt
of the cabin, measuring inside and outside the
vehicle. This work has been possible thanks to the support of
the Centre of High Technology and Homologation
(CATECHOM) at the University of Alcala (UAH),
conclusIon as well as the COVE Project funded by the Spanish
Science and Education Ministry TRA2005-05409/
From the simulated and experimental results AUT and TRA2006-12105/TAIR.
obtained by this work, it can be deduced that the
electromagnetic interference supported by the
cable structure under study, when situated a few rEfErEncEs
centimetres from a commercial Bluetooth transmit-
ter, is similar to the action of a plane wave with 2004/104/EC EMC. (2004). Directive relating to
electricfieldlevelssuperiortothose specified
the radio by of vehicles. Commission of
interference
directive 2004/104/EC (25 or 30 V/m). the European Communities.
Comparingthemagnitudeoftheelectricfields
95/54/EC EMC. (1995). Directive relating to the
obtained in the present analysis with the real
radio interference of vehicles. Commission of the
values at which on board electronic components
European Communities.
are tested in accordance with the EMC directive,
it can be deduced that Bluetooth transmitters of Bannatyne, R. (2000, May). The sensor explosion
20 dBm can cause electromagnetic susceptibility and automotive control systems. Sensors Maga-
problems in the vehicle’s electronic and electrical zine, 17(5).
systems, which would not be detected during the
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Campos, F.T., Mills, N.W., & Graves, M.L. (2002). Larses, O. (2003). Modern automotive electron-
A reference architecture for remote diagnostics ics from an OEM perspective (Tech. Rep. KTH
and prognostics applications. In Proceedings of S-100 44). Royal Institute of Technology, Me-
the IEEE Autotescon (pp. 842-853). chatronics Lab, Department of Machine Design,
Stockholm.
CISPR 12. (2001). Vehicles, boats and internal
combustion engine driven devices. Radio dis- Leen, G., & Hefferman, D. (2002, January).
turbance characteristics. Limits and methods Expanding automotive electronic systems. IEE
of measurement for the protection of receivers Computer,5(1), 3 88-93.
except those installed in the vehicle/boat/device
Mazo, M., Espinosa, F., Awawdeh, A.M.H., &
itself or in adjacent vehicles/boats/devices. The
Gardel, A. (2005). Automotive electronics diag-
International Special Committee on Radio Inter-
nosis: State of the art and next tendencies. FITSA.
ference (CISPR).
Madrid. Retrieved October 15, 2007, from http://
CISPR 25. (2002). Radio disturbance characteris- www.fundacionfitsa.org/fitsa/pub/ Libro%02diag
tics for the protection of receivers used on board nosis%20electronica.pdf
vehicles, boats, and on devices. Limits and methods
Renault. (2006). Renault EMC unit. Aubevoye,
of measurement. The International Special Com-
France. Retrieved October 15, 2007, from
mittee on Radio Interference (CISPR).
http://www.worldcarfans.com/news.cfm/new-
FCAI. (1997). Federal Chamber of Automotive sid/2060406.004/country/ecf/Renault-inaugu-
Industries (FCAI). Retrieved October 15, 2007, rates-emc-unit
from http://www.dcita.gov.au/Article/0,,0_4-
Schoof, A., Stadtler, T., & Haseborg, J.L. (2003,
2_4008-4_10465,00.html
May 11-16). Simulation and measurement of the
FEKO. (2005). EM software & systems. FEKO. propagation of Bluetooth signals in automobiles.
Retrieved October 15, 2007, from http://www. Paper presented at the 2003 IEEE International
feko.info/ Symposium, EMC’03 (pp.1297-1300).
ISO 11452-2. (2004). Road vehicles: Component SIG. (2006). SpecificationoftheBluetooth . system
test methods for electrical disturbances from nar- Retrieved October 15, 2007, from http://www.
rowband radiated electromagnetic energy. Part 2: bluetooth.com
Absorber-lined shielded enclosure. The Interna-
SparkFun. (2005).Transceiver MiRF - Miniature
tional Organization for Standardization (ISO).
RF 2.4GHz. Retrieved October 15, 2007, from http://
ISO 7637-2. (2004). Road vehicles: Electrical www.sparkfun.com/commerce/product_info.
disturbance from conduction and coupling. Part php?products_id=13 5
2: Electrical transient conduction along supply
Stadtler, T., Schoof, A., & Haseborg, J.L. (2002,
lines only on vehicles with nominalV2 1 or V4 2
September 9-13). Electromagnetic compatibility
supply voltage. The International Organization
of a system under the influence of a Bluetooth
for Standardization (ISO).
transmitter. Paper presented at the Symposium
Kerry, P.J. (2003). EMC in the European Union. EMC Europe 2002, Sorrento.
IEEE. 0-7803-7779-6/03.
Tatoian, J. (2005). Car chases zapped. Pasadera,
Kun, A., Lenharth, W., & Millar, W.T. (2004). California: Eureka Aerospace. Retrieved October
Project 45
. Dirham: University of New Hampshire. 15, 2007, from http://www.defensetech.org/ar-
Retrieved October 15, 2007, from http://www. chives/001369.html
project54.unh.edu/
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
Bluetooth Devices Effect on Radiated EMS of Vehicle Wiring
tion technology, such as Bluetooth or Wi-Fi, can WLAN: The acronym for wireless local-area
be used for longer range communication or for network. Also referred to as LAWN. A type of
transferring larger amounts of data. local-area network that uses high-frequency radio
waves rather than wires to communicate between
RF: Short for radio frequency, any frequency
nodes. LAN is a computer network that spans a
within the electromagnetic spectrum associated
relativelysmallarea.MostLANsareconfinedto
with radio wave propagation. When a RF current
a single building or group of buildings. However,
issuppliedtoanantenna,anelectromagneticfield
one LAN can be connected to other LANs over
is created that then is able to propagate through
any distance via telephone lines and radio waves.
space. Many wireless technologies are based on
A system of LANs connected in this way is called
RF field propagation, including cordless phones,
a wide-area network (WAN).
radar, ham radio, GPS, and radio and television
broadcasts. RF waves propagate at the speed of
light, or 186,000 miles per second (300,000 km/s).
Their frequencies however are slower than those
of visible light, making RF waves invisible to the
human eye.
Chapter XLIII
Security in WLAN
Mohamad Badra
Bât ISIMA, France
Artur Hecker
INFRES-ENST, France
AbstrAct
The great promise of wireless LAN will never be realized unless there is an appropriate security level.
From this point of view, various security protocols have been proposed to handle wireless local-area
network (WLAN) security problems that are mostly due to the lack of physical protection in WLAN or
because of the transmission on the radio link. The purpose of this chapter is (1) to provide the reader
with a sample background in WLAN technologies and standards, (2) to give the reader a solid ground-
ing in common security concepts and technologies, and (3) to identify the threats and vulnerabilities of
WLAN communications.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security in WLAN
802.11 WLAN started being rolled out, especially than the wired LAN. The open access to the net-
in enterprises to replace or extend the wired lo- works permits malicious action at a distance and
cal-area network (LAN) with an implementation simplify passive interception. The temptation for
of WLAN, and in airports and various business unauthorized access and eavesdropping is also
venues where they installed several WLAN access a reality (Khan & Khwaja, 2003) because an at-
points offering a public Internet access (so-called tacker could easily access the transport medium.
hotspots), which can range from a small covered This is not easy in wired LAN due to the physical
zone to many square miles of overlapping hotspots access to the media. WLANs have introduced a
in metropolitan areas. new security threat, sometime referred to as park-
While the most obvious advantage of the WLAN ing lot attack (Arbaugh, 2003) (i.e., a person with
ismobility,therearealsootherbenefits: a wireless computer and a makeshift antenna can
gain access to your the WLAN from hundreds
• Installing and maintaining flexibility: of feet away). Other security issues are mostly
Installation of a WLAN system is fast and because of the lack of physical protection of the
easy and eliminates the terminal cabling wireless network access or of the transmission on
costs. It extends to area where wires cannot the radio that cannot be confined to the walls o
be installed. an organization.
• Apparent ease of use: WLAN is easy for The original1 standard2. 0 8 defines authen
-
novice and expert users alike, eliminating the tication and encryption mechanisms based on
need of a large knowledge to take advantage the use of the wired equivalent privacy (WEP)
of WLAN. protocol. Unfortunately, this protocol suffers from
• Transparency: WLAN is transparent to a serious design aws fl (Miller & Hamilton,.) 02
user network, allowing applications to work Furthermore, it does not define a -key manage
in the same way as they do in wired LANs. ment mechanism; it presumes that the secret key
• Scalability: WLANs are designed to be is conveyed between WLAN entities through a
simple or complex; they range from networks secure channel independent of 802.11 WLAN. As
suitable for a small number of nodes to full aresultofdifferentaws fl discoveredinWEP,the
infrastructure networks of thousands of nodes security of WLAN has been widely studied, and a
and large physical area by adding access set of standards have been developed by IEEE and
points to extend coverage and to provide users IETF, especially 802.1X (802.1X, 2004), 802.11i
with roaming between different areas. (802.11i, 2004) and extensible authentication pro-
tocol (EAP) (Aboba, Blunk, Vollbrecht, Carlson, &
WLAN was developed to extend wired LAN Levkowetz, 2004). The 802.1X standard has been
wirelessly and therefore to minimize Ethernet ca- standardized by 802.1 working group. 802.1X was
bling. It was designed to provide “data obscurity” initially conceived to securely manage the access
equivalent to that provided by wired Ethernet with to different IEEE 802.1 networks. It is a framework
easier installation. However, there is some dif- for authenticating and controlling user traffi
ference between WLAN and wired LAN due to the network level, as well as dynamically varying
constraintsintroducedbythefirst,and especially the
exchanging encryption keys between a mobile
shared medium, interference, the collisions that station and an authentication server. By pushing
cannot be detected reliably, the physical bound- the authentication method to the virtual layer,
ary that is difficult to control, and to the the signal.
X1 2.08 definesanopensecurityarchitecture,
These differences make the WLAN security which principally allows user authentication and,
harder to maintain in comparison to wired LAN. optionally, session key generation and derivation
In WLAN, it is possible for an attacker to snoop on a per-user and per-session basis. Because of
onconfidentialitycommunicationsormodify them for dynamic provisioning, 802.1X
this possibility
to gain access to the network much more easily is used as the common base in the current WLAN
Security in WLAN
security suites such as Wi-Fi protected access a terminal attached to the network. WLAN uses
(WPA) (WPA, 2003) and IEEE 802.11i (802.11i, a concept called port-based access control that is
2004). based on the notion of a port. The port-based ac-
The rest of the chapter presents a more detailed cess control blocks all traffic on a (logical) port
description of the various WLAN standards from until some condition is true. The condition for the
the security perspective: challenges and possible port opening is a successful user association and
attacks in WLAN security; WLAN infrastructure authentication.
security; authentication, authorization, and ac- An association precedes each communication
cesscontrol;confidentialityandprivacy; betweenand key
the STA and the AP. The association is
management and establishment. formed between a STA and an AP by exchanging
messages, by the means of so-called management
frames, allowing both STA and AP to create and
wlAn MAnAgEMEnt frAMEs tomaintaintheassociationstates.WLANdefines
three states: unauthenticated and unassociated,
A WLAN network is formed by entities called authenticated and unassociated, and authenticated
stations (STA). A WLAN can operate in two and associated.
modes: infrastructure and ad hoc. In the ad hoc The management frames can be started by the
mode, each STA communicates directly with STA sending a probe request management frame
other stations. In the infrastructure mode, stations to find anAPaffiliatedwithaselectedESSID,or
communicate with each other via a special STA, scanning the beacon management frame broadcast
called access point (AP). Each AP additionally by the APs at a fixed interval. As part - of the as
has a connection to the distributing system (DS), sociation processes, the STA and the access point
which can take different forms (wireless, wired, perform an authentication. IEEE 802.11 originally
OSI layer, etc.). In this chapter, we focus on the definestwoauthentication openmodes,
systemthe
infrastructure mode. authentication (OSA), practically equivalent to
The infrastructure mode extends the range of no authentication, and shared key authentication
the wired LAN. It introduces a notion of basic (SKA), a simple challenge handshake protocol
service set (BSS). Each BSS is formed by an AP based on a preshared key between the STA and the
and associated stations, and can be roughly un- APandthespecifiedWEPprotocol.Furthermore,
derstood as a WLAN equivalent of a cell (a base other methods can be used to restrict the access
stationandmobilenodes)It . isuniquely to anAP,suchasclassicalMACaddressfiltering
identified
by the medium access control (MAC) address of (whitelisting or blacklisting STA MAC addresses)
the STA of its AP, called BSSID. By using their and the suppression of service advertisement, usu-
DS connection, several APs can allow a station ally called SSID hiding.
to move from one BSS to another. Several BSSs It must be noted that neither of these methods
may be collected, constructing an extended ser- can be considered sufficiently secure given the
viceset(ESS)The . identifieroftheESSisacase current usage of the 802.11 technology. Since
sensitive string of 32 bytes (ESSID), and can be MAC addresses need to be transported in clear and
roughly understood as a “network name.” In the canbeeasilychanged,theMACaddressfiltering
infrastructure mode, it is usually called SSID for is not enough of a barrier. SSID hiding only can
convenience. work as long as nobody uses the service, since the
One of the primary services of WLAN manage- associating STA will try to solicit an AP under a
ment frames is to provide access control reliability. given SSID, thus effectively disclosing this “secret.”
This is done originally based on a predetermined The included SKA scheme lacks mutuality and is
set of MAC address and improved later with way too static (no session key derivation, no key
802.1X. The access control usually implements a management) to be applicable in an operational
way to provide authentication or authorization to industrial environment. Accidentally SKA was
Security in WLAN
Security in WLAN
WLAN devices broadcast their MAC addresses directly exposing the long term secret), and to the
over-the-air and it is therefore easy to observe the absent message integrity checking (the available
MAC address for an associated mobile station and CRC32 integrity does not depend upon the keys
spoof it to masquerade as a legitimate device. and mainly targets transmission problems; it is
DuetothenatureofWLAN,intruderscan ood
fl
therefore possible to alter a packet whose content
the open medium access and are able to execute was known even if it had not been decrypted).
denial-of-service attacks (DoS) to bring down More information on WEP attacks may be found
WLAN access or services. An attacker may launch by Borisov, Goldberg, and Wagner (2001).
denial-of-service attacks by spoofing, replaying, In a WLAN context, a passive attack takes
or generating management frame packets. advantage of several weaknesses in the key-
Another problem related to the open medium scheduling algorithm of RC4. It could be done
is jamming WLAN frequencies. Jamming against also by a comparison of the encrypted version of
WLAN is almost impossible to prevent and can be a known messagee. ( g., TCP fields) to repetitive
executed easily as noise or interference on chan- IV-based encryption combinations of the known
nels that deliver WLAN services. For example, in text and to reveal the secret key (Morrison, 2002).
a military environment, jammers are often located In fact, the 24-bit IV implies that 224 packets can
in helicopters as the line-of-sight propagation gives be protected with the same key, before changing
them an advantage over communication transmit- the key. Because the IV is relatively short, and is
ters located on the ground (Stahlberg, 2000). transmitted in the clear text, it will be repeated with
WLANs are also vulnerable to session hijack- sufficientfrequencythattherestofciphercanbe
ing attacks due to the lack of authentication of the relatively easily cracked. On the other hand, WEP
management frames as well as to the WLAN state byitsdesigncannotefficientlyreduceoverheadof
machines. Session hijacking is a combination of denial-of-service attacks. In particular, it does not
DoS and identity spoofing attacks andprotect it can be packets, or the part of the packet
beacon
launched by 1) eavesdropping on the medium to header, which includes the MAC address unen-
discover the MAC address of a legitimate station crypted. Consequently, it is not hard to infiltra
and/or of the AP, 2) deauthenticating the legitimate the WLAN using WEP.
station to terminate its connection to the AP (spoof- Consequently, a dedicated task group called
ingSTAorspoofingAPaddresses)and , using
)3 the
802.11i has been set up by IEEE to create a replace-
eavesdropped MAC to reauthenticate to a different ment security solution. The released IEEE 802.11i
or to the same AP on the same WLAN. amendment introduces an improved security
mechanism called Wi-Fi protected access (WPA)
wEP weaknesses to solve WEP-related authentication - and confi
dentiality problems and to introduce an efficien
Shared key authentication was designed to help frame integrity scheme. 802.11i security solution
in reducing attacker activities against WLAN. (called robust secure network or WPA2) uses a
Unfortunately, WEP has turned out to be much new counter-mode/CBC-MAC protocol (CCMP)
less secure than intended. Fluhrer, Mantin, and cipher based on the advanced encryption standard
Shamir’s (2001) paper entitled “Weaknesses in the (AES) instead of RC4.
Key Scheduling Algorithm of RC4” describes how
an attacker can intercept transmissions and gain
unauthorized access to wireless networks. Other 802.1x, wPA, And IEEE 802.11I
problemsarerelatedtotheinsufficient (wPA2) IVlength
(thus permitting to decrypt frames without key
knowledge), absent key management (on the one IEEE 802.11i is a dedicated task group to specify
hand resulting in manual settings and typically and to create a replacement security solution. It
weaker alphanumeric keys, and on the other hand provides enhanced security services and mecha-
Security in WLAN
nisms for the IEEE 802.11 medium access control that every data packet is sent with its own unique
beyond the features and capabilities provided by encryption key. Moreover, it includes a key hash
WEP. These security services are established by de- function to improve resistance against Fluhrer
finingtemporal key integrity protocol (TKIP) and attacks (Fluhrer et al., 2001) and MIC and it uses
counter-mode/CBC-MAC protocol (CCMP) that 802.1X for key management and establishment.
provide more robust data protection mechanisms The MIC prevents forged packets from being
than what WEP affords. 802.11i also introduces accepted. Thanks to per-packet key mixing, it is
the concept of a security association and
very defines
hard for an eavesdropper to correlate the IV
security association management protocols called and the per-packet key used to encrypt the packet
the 4-way handshake and the group key handshake. (Chandra, 2005). More precisely, TKIP hashes
Also,itspecifieshowIEEEX1 2.08 maybeutilized the combination of the IV value, the data encryp-
by IEEE 802.11 LANs to effect authentication. tion key (derived from the master secret), and the
The IEEE 802.11i architecture usually contains MAC address. This mechanism addresses the
or implements the following components: WEP problem when concatenating the key with
the IV to form the traffic key, and then reducing
• 802.1X for authentication, entailing the use of the ability of the related key attack.
IETF’s EAP and an authentication server.
• Robust security network (RSN) for keeping key Hierarchy
track of associations.
• AES-basedCCMPtoprovideconfidentiality, The master secret used in key hierarchy can be a
integrity, and origin authentication. Another preinstalled key or a per-session key. In fact, TKIP
important element of the authentication pro- can be used with an IEEE 802.1X authentication
cess is the four-way handshake, explained server, which shares a master key with each user
below. as a consequence of a successful authentication
process as well as in a preshared key (PSK) mode
wPA where all authorized users share a PSK. These two
modes target two distinct environments respec-
Because WEP has been shown to be totally inse- tively, enterprise and home networking.
cure and in order to strengthen the weak keys used As we cited before, TKIP extends the WEP
by WEP, 802.11 Working Group has proposed a key hierarchy to reduce the exposure of the (long
new WPA protocol called TKIP. This protocol term) master secret and to provide per-packet key
is designed to strengthen the security of 802.1X mixing, a message integrity check as long as a
networks and to leverage the existing WEP-en- rekeying mechanism. This extension is shown in
abled WLAN network interface card (NIC), while thefollowingfigure.Atagivenlayer,thedifferent
remaining backward compatible with existing keys are generated by applying the pseudo random
hardware (no change in the hardware engine). function (PRF) on, among others parameters, the
This is done by distributing firmware/key software
of the upper layer and the MAC addresses of
upgrades including new algorithms to be added to the two endpoints.
WEP, such as message integrity code (MIC) and
per-packet key mixing function. Preshared key
TKIP uses a key scheme based on RC4, but
unlike WEP that uses the master key for authen- As we cited before, 802.11i security solution uses
tication and per-packet encryption, TKIP extends 802.1X (see next section) that requires a logical
this key hierarchy to reduce the exposure of the authentication server entity. However, 802.11i de-
master secret and to provide per-packet key mix- finesthepresharedkeysolutionasanalternat
ing, a message integrity check as long as a rekey- to 802.1X-based master key establishment. This
ing mechanism. Consequently, TKIP ensures solution can be used for home or small networks
00
Security in WLAN
and does not require installation of an authentica- tor. It dialogue with the authentication server
tion server. through the authenticator.
The PSK is 64 hexadecimal digits or a pass • The Authenticator: Typically a wireless
phrase 8 to 63 bytes long, in which each STA has access point that controls the state of each
its own PSK tied to its MAC address and uses it port (open/close) and mediates an authentica-
to get access to the network. The key hierarchy tion session between the supplicant and the
is showed in Figure 1. The PSK is however used authentication server.
directly to compute the pair-wise transient key • The Authentication Server: Typically a
(PTK). The rest of the key computation process (remote authentication dial in user service)
remains unchangeable. RADIUS server that performs the authentica-
The PSK is a 256-bit random value or a pass tion process on behalf of the authenticator.
phrase 8 to 63 bytes long, in which each STA has The resulting decision consists of whether
a PSK tied to its MAC address and uses it to get the supplicant is authorized to access the
access to the network. The key hierarchy is showed authenticator’s network. Note that 802.1X
in Figure 1. The PSK is however used directly to does not require use of a central authentication
compute the PTK. The rest of the key computation server, and thus can be deployed with stand-
process remains unchanged. alone bridges or access points, as well as in
centrally managed scenario (802.1, 2004).
IEEE 802.1x
The most important component in 802.11i ar-
IEEE 802.1X is introduced for port-based network chitecture is the IEEE 802.1X port access entity
access control. It provides authentication to stations (PAE), which controls the forwarding of data to
attached to a LAN port, establishing a point-to- and from the MAC. A STA always implements a
point connection in case of success or preventing Supplicant PAE and implements EAP peer role,
access from that port if authentication fails. and an AP, acting as an Authenticator, always
802.1X uses three terms: implements an Authenticator PAE and implements
the EAP Authenticator role.
• The Supplicant: A station that requests ac- 802.1X is based on EAP, which is a powerful
cess to the network offered by the authentica- umbrella that shelters multiple authentication
0
Security in WLAN
Figure 2. 802.1X messages exchange between a supplicant, an authenticator, and the authentication
server
methods. When IEEE 802.1X authentication is used (PMK) by two parties and to distribute a group
within 802.11 networks, EAP is used transparently temporal key (GTK). Several keys are established
between the station and the (usually remote) authen- as a result of a successful authentication. The keys
tication server and relayed through the AP. 802.1X are derived from the PMK (in particular, the pair-
requires the cooperation between the authentication wise transient key).
server and an EAP method. In the case of a wire- i
1 2.08 defines two key hierarchies: a) ( pair-
less LAN, the EAP method is required to perform wise key hierarchy to protect unicast traffic and
mutual authentication and key management and (b) GTK, a hierarchy consisting of a single key to
distribution\REF-RFC-REQ-EAP-WLAN.Using protect multicast and broadcast - traffic. Furth
theexibility
fl proposedbytheIEEEX1 2.08 archi- more,itdefinesTKIPuses ( existinghardware)and
tecture, multiple EAP-based security protocols CCMP (needs additional hardware) to repair the
and mechanisms such as EAP-SIM (Haverinen & problems caused by WAP. TKIP provides stronger
Salowey, 2006), EAP-TLS (transport layer secu- security through a keyed cryptographic message
rity) (Aboba & Simon, 1999), and protected-EAP integrity code (MIC), an extended IV space, and
(Palekar, Simon, Zorn, Salowey, Zhou, & Josefsson, a key mixing function. And the CCMP is used to
2004) are proposed. These EAP methods are used providedataconfidentiality,integrity,andrepl
with the 802.11i (or WAP2) and WPA standards protection.
in order to establish authenticated access and key
calculation and distribution. -Way Handshake
IEEE 0.i (WPA) Once the authenticator and the mobile station have
agreed upon a shared PMK, they can begin a 4-way
Theproceduresdefinedini 1 2.08 adoptthekey-
handshake: STA represents the station; STAA and
hierarchydefinedbyWPAandprovidefresh keys
AA, SNonce and ANonce, represent the MAC ad-
by means of protocols called the 4-way handshake dress and the nonce of the station and authenticator,
and group key handshake. 4-way handshake is a respectively; SN is the sequence number; msg1,
pair-wisekeymanagementprotocolusedto confirm
msg2, msg3, and msg4 are indicators of different
the mutual possession of a pair-wise master key message types; and MICEAPOL-KCK() represents the
0
Security in WLAN
0
Security in WLAN
0
Security in WLAN
related data in clear text and without any encryp- A smart card is a portable and tamper-resistant
tion. Therefore, security parameters owing
fl
computer. in
It provides data security, data integ-
the network could potentially be logged, archived, rity, and personal privacy and supports mobility.
and searched. Furthermore, major application areas including
Basically, certificates are issuedmobile by a trusted
communication use smart card to convey
third party linking the identity of the user certificate
subscription and identification informat
owner to the public key, whereas the shared secret as well as to provide user identity and to build
is managed through its identifier. Certificate or
computer and network access.
shared key identifiers are usually sent in802.1X/EAP
In the clear context, (Urien & Pujolle,
text and consequently, entities cannot protect 2005) describes the interface of the EAP protocol
their identities from eavesdropping. Thus, an in smart cards, which can store multiple identi-
intruder can learn who is reaching the network, ties associated to EAP methods and appropriate
when, and from where, and hence, track users by credentials. It presents implementations of the
correlating client identity to connection location. EAP-TLS smart cards, which securely stores TLS
Especially in WLAN, where the access medium security parameters, such as client - X509 certifi
is open to eavesdroppers, and the mobility is a cate, client private RSA key, and CA public key.
reasonable service, the location tracking can be a For more information regarding the EAP smart
serious security issue. The PEAP and EAP-TTLS card configuration and test steps, please refer t
authentication methods can be used to protect the OpenEAPSmartCard (2006), which is an open
user identity. Both are two-phase protocols with Java card platform for authentication in Wi-Fi and
the first phase used to establish a TLS WLAN withnetworks.
only
server authentication and the second phase used
to deliver, among others, the user identity.
Privacy and identity protection are increas- tHE unIvErsAl AccEss MEtHod
ingly required for 802.1X/EAP and consequently,
research is being carried out to add credentials and A different approach to authentication and authori-
identity protection to EAP methods, especially to zation for WLAN is that based on Web-based un-
EAP-TLS.Inthislattermethod,theclientcertificate licensed mobile access (UAM), the most prevalent
is sent in clear text and therefore, an attacker can formofaccesstoWLAN.Thisapproachdefines
easily sniff packets conveying the client creden- a sign-on usage model using the user navigator
tials. To avoid sending identity information in clear or Web browser and it is adopted by a number of
text during the TLS session, Hajjeh and Badra (in WLAN hotspots providers. The Web-based UAM
press) extend TLS with an enhanced, completely approach is very simple. When the user attends to
backwards compatible mechanism. The client get Internet access through a given hotspot, this
identity protection is provided by symmetrically latter will redirect the user’s browser to a local
encryptingtheclientcertificatewith Web akey derived
server. After redirection, the user will be
from the TLS master secret, invited to be authenticated by entering its creden-
tials (e.g., username, password). These credentials
Hardware security in wlAn are tunnelled through a secure session, typically
established using TLS.
Many agencies (GAO, 2001) require the use of
smart cards to overcome the vulnerabilities of
the storage of private and shared keys. In fact, unlIcEnsEd MobIlE AccEss
without smart cards, unauthorized access can be
easily established to an authorized device (e.g., UMA stands for Unlicensed Mobile Access; a tech-
station)toretrieveconfidentialand nologypersonal data
provides access to GSM and GPRS mobile
stored on it. services over unlicensed spectrum technologies,
0
Security in WLAN
Figure4.ThroughputofTCP,UDPtrafficinacongestednetwork
0
Security in WLAN
FigureComputing
5. timesdistributionforWLAN asmart security risks have increased expo-
card nentially as wireless services have become more
popular. The risks represent any malicious and
undesirable event on the various applications,
which possibly suffer from faults facilitating treat
concretization.Riskscanresultin - sniffingandhi
jacking of sensitive and personal data over the link
for unprotected Internet access. The consequences
are therefore variants (Hurley, 2002). It can eat
up bandwidth, but it could pose a darker issue as
virus writers can use the access to anonymously
performance of congested wireless networks. send viruses out.
Network performance degradation increased as the In answer, WLAN defined, among other,
number of clients was increased under all security the 802.1X standard, providing a framework for
mechanisms. authenticating and controlling user traffic t
On the other hand and in order to show the protected network, as well as dynamically vary-
impact of smart cards use within 802.1X/EAP, ing and exchanging encryption keys between the
we implemented EAP-TLS on smart cards, in wireless entity and the authenticator server. This is
which performance, benefits, and drawbacks done using
areEAP methods, which are also deployed
discussed and analysed by Urien, Badra, and jointly with the 802.11i and WPA standards. Imple-
Dandjinou (2004). menting WLAN technologies in a secure network
Figure 5 shows the repartition of computing requires on one hand a combination of these secu-
times during the authentication phase. The smart rity measures. On the other hand, organizations
card (10 MHz, 8 bits CPU, 2304 bytes RAM bytes, need to adopt security measures and practices that
96 Kbytes 32 Kbytes ROM, 32 Kbytes E2PROM) help bring down their risks to a manageable level.
processes the EAP-TLS protocol in about 5 seconds In early 2006, therefore, ISO members voted the
(Urien & Badra, 2006). Note that benchmarks are IEEE’s 802.11i standard for adoption.
performed on a 1 GHz Intel processor PC and only
about 50 ms are required to execute an EAP-TLS
session. This demonstrates the cost and perform- rEfErEncEs
ance influence of using smart cards, which are
required for credentials and private data storing. 802.1X. (2004). IEEE Standards for local and
metropolitan area networks: Port based network
access control (IEEE Std 802.1X-2004).
conclusIon 802.11i. (2004). Institute of electrical and electron-
ics engineers, supplement to standard for telecom-
Wireless technologies have evolved phenomenally munications and information exchange between
over the last few years. Wireless transmission has systems:LAN/MANspecificrequirements.Part: 1
a big impact on new services and applications Wireless LAN medium access control (MAC) and
because it is the method for data communication physicallayer(PHY)specifications:Specification
for, among others, cellular phones, text pagers, for enhanced security (IEEE 802.11i).
and Wireless LAN 802.11. In this chapter, we
focused on WLAN security threats, which extend Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., &
onseverallevels,fromtheidentityspoofing toH.
Levkowetz, the(2004). Extensible authentication
trafficanalysis. protocol (EAP) (RFC 3748).
0
Security in WLAN
0
Security in WLAN
the Helsinki University of Technology. Seminar Urien, P., Badra, M., & Dandjinou, M. (2004).
on Network Security. Mobile Security. Helsinki EAP-TLS smartcards, from dream to reality. Paper
University of Technology. presented at the Fourth IEEE Workshop on Ap-
plications and Services in Wireless Networks.
UMA. (2005). Retrieved October 16, 2007, from
http://www.umatechnology.org/ Urien, P., & Pujolle, G. (2005). EAP-support in
smartcard (IETF Internet Draft).
Urien, P., & Badra, M. (2006). Secure access
modules for identity protection over the EAP-TLS WLAN. (2003). Information technology - tele-
-Smartcardbenefitsforuseranonymity - inwire
communications and information exchange
less infrastructures. In M. Malek, E. Fernández- between systems—local and metropolitan area
Medina, & J. Hernando (Eds.), SECRYPT 026, networks—specific requirements-Part: 1Wire
Proceedings of the International Conference on less LAN medium access control (MAC) and
Security and Cryptography, Setúbal, Portugal, physical layer (PHY) specifications (IEEE Std.
(pp 157-163). 802.11-2003).
WPA. (2003). Wi-Fi protected access, version
2.0.
0
0
Chapter XLIV
Access Control in Wireless
Local Area Networks:
Fast Authentication Schemes
Jahan Hassan
The University of Sydney, Australia
Björn Landfeldt
The University of Sydney, Australia
Albert Y. Zomaya
The University of Sydney, Australia
AbstrAct
Wireless local area networks (WLAN) are rapidly becoming a core part of network access. Supporting
user mobility, more specifically session continuation in changing network access point
an integral part of wireless network services. This is because of the popularity of emerging real-time
streaming applications that can be commonly used when the user is mobile, such as voice-over-IP and
Internet radio. However, mobility introduces a new set of problems in wireless environments because of
handoffs between network access points (APs). The IEEE 802.11i security standard imposes an authen-
tication delay long enough to hamper real-time applications. This chapter will provide a comprehensive
study on fast authentication solutions found in the literature as well as the industry that address this
problem. These proposals focus on solving the mentioned problem for intradomain handoff scenarios
where the access points belong to the same administrative domain or provider. Interdomain roaming is
also becoming common-place for wireless access. We need fast authentication solutions for these en-
vironments that are managed by independent administrative authorities. We detail such a solution that
explores the use of local trust relationships to foster fast authentication.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Authentication Server
(e.g., RADIUS)
Wireless AP
(Authenticator)
Secure
Network
EAP over RADIUS
Wireless link
Wireless device
(Supplicant)
Authentication Server
Wireless device Wireless AP (e.g., RADIUS)
(Supplicant) (Authenticator)
EAPOL-Start
EAP-Request Identity
EAP/TLS: Empty
EAP-Success
Fourway
Fourway Handshake
Handshake 802.11i
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
• Supplicant: This is a user device seeking function which will be used to generate additional
link layer connectivity with a network so keying material. Using this function and the MK,
that it can use the services offered by the a pair-wise maser key (PMK) is generated. The
network. PMK further produces four pair-wise transient
• Authenticator: This is the wireless AP keys (PTKs) when used with particular cipher
providing link layer connections to the user methods, and are used for origin authenticity and
devices. In any network, typically there will confidentialityofthefour-wayhandshake - proce
be many APs. The authenticator liaises with dure, as well as for data encryption.
the authentication server by relaying infor-
mation to and from the supplicant. When the Figure 2 shows the full EAP-TLS authentica-
authenticator receives a success message from tion steps and messages exchanged. At the end of a
the authentication server, it allows the sup- successful EAP-TLS authentication (EAP success
plicant to establish a link layer connection. message), there is a four-way handshake process
• Authentication server: This is a central which ensures that the AP and the MN are active,
server which helps the authenticator with guarantees the freshness and synchronization of
the authentication decision based on what it the shared encryption key, as well as binds the
knows about the supplicant and the informa- PMK to the medium access control (MAC) ad-
tion supplied by the supplicant. dress of the MN.
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
multimedia applications in continuous mobility tions in wireless LANs, in the current form, no
scenarios1. This number can only magnify when mechanism has been used to select the most likely
the RADIUS server is located topologically far handoff candidate APs. Thus, there will probably
from the AP. As the APs in wireless LANs have be many instances of preauthentications that will
very small coverage2, many APs are required to not be utilized at all. This is a waste of resources.
be installed to cover a certain geographical area Also, when there is a large number of candidate
of a network. Thus, continuous mobility implies APs, this mechanism does not scale and, in addi-
that there will be many handoffs during an active tion, puts extra loads on the AAA server. It is to
real-time application session, even when the user be noted that the scope of the preauthentication
is within the same network (domain). There needs is, however, limited to a single network domain
to be mechanisms to cut down the authentication or ESS, making it inapplicable in interdomain
delay of 802.11i for this kind of intradomain hand- roaming scenarios.
offs. Below we discuss the IEEE 802.11i proposed
solution, and those found in the literature to tackle Proactive key distribution
this issue.
Proactive key distribution has been proposed as
Preauthentication a mechanism to provide fast authentication at
handoffs within the same administrative domain,
Thisisthesolutionspecifiedwithinthe by IEEE8
i
1 .2 0
predistributing the keys to candidate APs in a
to support fast authentication at handoffs between neighbor graph (Mishra et al., 2004). Thus, this
APs in the same network domain or extended scheme avoids the involvement of the AAA or the
service set (ESS). In this solution, when an MN RADIUS server for distributing the keys to the
is connected with an old AP (oAP), it can initiate nAPs duringhandoffs.WhentheMNwillfinally
EAP-TLS authentication with a new AP (nAP) move to the nAP, the key will be already there and
within the same ESS by sending an IEEE 802.X the local handshake protocol (four-way handshake)
EAPOL-Start message via the oAP to the nAP. The can be used to establish the radio link between the
nAP then may initiate the EAP-TLS authentication MN and the nAP.
with the MN. The distributed system of the ESS The most important concept of this proposal is
has to be configured to forward the authentica- the use of the neighbor graph. The neighbor graph
tion messages to the oAP for the MN. While still isthedynamicidentificationofthe - mobilitytopol
connected with the oAP, preauthentication for the ogy of the network: a set of APs that the mobile
MN is performed by exchanging all the EAP-TLS user device potentially could reassociate to. The
authentication messages between the MN and the authors suggest that this set is typically a small
nAP. The process ends when after deriving the subset of all the APs in the wireless network. By
newPMK,thenAPsendsthefirstmessageofselecting the the possible candidate APs for handoffs by
four-way handshake to the MN. The MN and the a particular MN, the cost of proactively distributing
nAP must cache the new PMK to be used when the thekeytotheseAPsarejustifiedandminimized.
MN finally moves to the nAP. Preauthentication The scheme utilizes the concept of a reassociation
can be performed in advance to a group of APs relationship by which the authors mean that two
that the MN may select from, for handing off in APs have this relationship if it is physically pos-
the future. At time of handoff, there will not be sible for a given MN to handoff from one to the
any more EAP-TLS exchanges, and the four-way next. Thus, this relationship depends on factors
handshake can be used straight away to resume such as physical distance between two APs and
the connection process. placement of the APs. The authors suggest that the
While the preauthentication mechanism pro- neighbor graphs can be autonomously learned and
vides a great way to cut down the authentication maintained by the wireless network, and can be
delay necessary for supporting real-time applica- maintained either in a centralized or distributed
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
manner. In their implementation, the authors have nature of the schemes. The two proposals differ in
stored this information in the centralized manner, the sense that in preauthentication, it is up to the
in the RADIUS server. MN to choose (using no particular guideline) APs
The authors propose that instead of distributing in the network to complete authentication before
the original PMK to all the neighbor graph APs, it performs the next handoff, but in the case of
the PMK is used to derive PMKs depending on proactive key distribution scheme, only the APs
the instance of reassociation (e.g., nth reassocia- the neighbor graph can get the PMK (some APs
tion) using a proposed equation. Special RADIUS in the neighbor graph may decide not to ask for
messages have been also introduced to aid the key the key at this stage). Also, the predistribution of
distribution process: NOTIFY-REQUEST,-NO the PMK scheme does not involve the MN in the
TIFY-ACCEPT, and ACCESS-ACCEPT. Once the process of distributing the PMKs to the neighbor
MN completes a full EAP-TLS authentication, the graph APs, whereas the preauthentication scheme
AAAserversendsaNOTIFY-REQUESTmessage involves the MN to complete the preauthentication
to all the APs in the neighbor graph. This message process with the nAPs.
informs the APs that a given MN may roam to their
coverage. It is up to the APs to decide whether they Proactive key caching
want the security information (the PMK) for the
MN. If the AP decides to get the security infor- An industry solution, namely proactive key cach-
mation at this stage, it sends a NOTIFY-ACCEPT ing (PKC), is an extension of Airespace Inc.’s3
message to the AAA server, and the AAA server wireless enterprise platform, developed along with
sends an ACCESS-ACCEPT message in return Funk Software4 and Atheros Communications
to the AP containing the appropriate PMK and (Atheros Communications). In PKC, the MN can
an authorization for the MN to remain connected use the same master key to roam across an Aire-
to the network. From the experimental results, it space network, visiting one AP to the next. This
has been shown that the average latency of the eliminates the need for RADIUS authentication at
full authentication reduces to around 50ms from each handoff; only the four-way handshake will be
that of 1.1 second. required. Airespace has a centralized policy engine
The scheme provides a practical and feasible for creating and maintaining security parameters
way for maintaining the quality of real-time ap- across the entire enterprise. The use of the central
plications while the MN moves about in the same policy engine in the network also leads this solu-
network. However, this imposes extra functional- tion to be centralized and suitable only for a single
ity and loads on the AAA server, because it has administrative domain.
to send requests to candidate APs asking if they
want the security key for the MN before it hands Predictive Authentication
off to the APs. This centralized approach where a
single AAA server controls and manages the key This proposal from Pack and Choi (2002) is a
distribution will suit well the scenarios where the predictive-authentication scheme based on the
WLAN sites are all under the tight control of one selection of a frequent handoff region (FHR)
central AAA server such that the server can derive which works in a centralized manner. The main
and decide on the candidate APs for the MN’s next idea is to formulate a FHR consisting of a number
move. This proposal will not be directly applicable of APs in a public access LAN by using a FHR
to interdomain roaming scenarios. selection algorithm, and taking into account the
The proposal from Mishra et al. (2004) has user mobility and traffic pattern. The FHR APs
similarity with preauthentication proposal from are the ones that the MN is likely to associate with
IEEE 802.11i in the sense that (some) steps of the in the near future. The MN is preauthenticated to
authentication process is initiated even before all the APs within the FHR so that when the MN
the MN moves to the nAP, that is, the proactive handoffs from one AP to the next within that FHR,
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Proactive Key distribution RADIUS server A subset of APs in the network; Decided by the nAP Intradomain handoffs
determined by the neighbor graph concerned
Predictive Authentication RADIUS A subset of APs in the network; Decided by the RADIUS Intradomain handoffs
server determined by the FHR server
Proactive Key Caching Centralized policy All APs in the network Centralized policy engine
engine Intradomain handoffs
dress this gap, we have proposed a “trust-cloud” party such as an ISP or indeed through personal
key sharing model (Hassan & Landfeldt, 2006). relationships if the community does not operate
with a subscription-based model. For example,
trust-cloud key sharing in community networks, the network operation is
dictated by personal preferences, thus even if two
According to our interdomain fast-authentication AP-owners (or WLAN owners) share the same ISP,
scheme based on a concept of “trust clouds,” a there is no guarantee that they would trust each
trust cloud is formed among neighboring access other. This is the difference from neighborhood
points based on a relationship among the owners networks with federated networks such as FON.
of the access points. The scheme enables fast and In our model, the serving AP6 of a visiting
simple authentication for mobile devices that move mobile node (VN) will share the key of the MN
between access points belonging to different ad- that is currently attached with it, within its trust
ministrative domains such as different ISPs. Used cloud. So, depending on the number of APs in the
together with an appropriate routing scheme, the serving AP’s trust cloud, some of the APs in the
scheme enables continuous service of delay sensi- hotspot area will have the key of the VN ready
tiveows fl even while roaming between different to be utilized for fast authentication when the
accessproviders.Wedefinethefollowing VNterms:
hands off to one of these APs, and that AP
will share the key further among its trust cloud
Trust Link: Atrustlinkdefinesthetrust - APs.relation
In our model of interdomain access points,
5
ship between any two given RG . RGi and RGj have provider-provider (or AP-AP, or RG-RG) trust is
a trust relationship between them if they agree to not necessarily transitive: if RG X trusts RG Y
take part in key sharing for visiting mobile nodes and RG Y trusts RG Z, it does not necessarily
between them. mean that RG X trusts RG Z. Moreover, as this
trust may have to do with personal preferences, it
Trust Cloud: A trust cloud is a collection of trust is not necessary to be symmetric: RG X trusts RG
links for a given RG. Every RG has a different trust Y does not necessarily mean that RG Y trusts RG
cloud. One RG can appear in many trust clouds, X. Initially, we have simulated symmetry in the
depending on its relationship with other RGs. trust relationships between a given RG pair, and
also that trust is not transitive as it depends on the
The model is a security key-sharing scheme relationship or understanding between any given
which works on the basis of AP-to-AP (or RG-to- pair of RG (or RG-owners). This means that if RG
RG, network-to-network/ hotspot-to-hotspot) trust. X trusts RG Y, RG Y also trusts RG X. However,
Unlike the implicit trust among the APs within a we have also simulated with the symmetry being
single administrative domain or an ESS, this trust is relaxed thus two RGs may have uni- or bi-directional
not implicit and is a translation from the trust among trust relations, thus we deviate from a nondirected
the AP-owners through a relationship with a third trust graph to a directed one. By using the concept
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
of trust clouds in the area, we will see pockets of ress through that RG, the VN session will have to
fast authentication enabled coverage area, and not handoff to another lightly-loaded RG using one
an entire coverage area of federated fast authen- of the two trust cloud handoff algorithms, or the
tication areas. Therefore, we would still require trustless one described in the previous section. If
strong authentication mechanism provided by the no lightly loaded RGs are available, the session is
EAP-TLS in this setup as not all the handoffs will prematurely terminated.
be able to utilize fast authentication. The activity of the VN is modeled using the well
The fast-authentication for interdomain sites known on-off process. When the VN completes a
is achieved through cooperation among the trust session, or a session is prematurely terminated, the
cloud members. The approach is distributed without VN enters a silence mode before initiating another
a central authentication server being involved in session. The session and silence mode durations are
distributing the security master key to the access exponentially distributed. Mean session duration is
points belonging to the trust cloud. We have pro- denoted by S. Once the VN enters the silence mode,
posed two algorithms for mobile visiting nodes to its security association with a given RG becomes
select RGs to perform authentication at handoffs: invalid (an inactivity timer is implemented within
trust-aware and trust-unaware. In the trust-aware each RG, upon expiration of which the security
handoff algorithm, the MN needing to handoff to associations of the VN become invalid). Conse-
a new RG actively seeks to handoff to an RG that quently, the VN must go through the full security
is trusted by its prior-move RG, thus it has to keep association process (full authentication involving
track of which RGs are trusted by its prior-move the AAA server) at the start of each new session,
RG. In the trust-unaware handoff though, the MN even if it continues with the current RG.
just seeks to handoff to a suitable RG (e.g., an RG The primary performance variable that we mea-
that has low load and can accept more connections) sure is the number of times a full authentication is
but does not care about the fast authentication pos- needed for a session on average, since the goal is
sibility as the RG it hands off to may or may not to reduce this variable. This number is basically
be trusted by its prior-move RG. one (for the initial association) plus the number of
handoffs that require full authentication.
Performance Evaluation Figures 3 and 4 are two representative graphs
from our simulation studies. First of all, we see
We have carried out simulation-based perfor- that our trust-based handoff schemes, be it aware
mance evaluation. The scenarios we model are a or unaware, achieves much lower per session full
VN trying to complete a series of communication authentication than the usual no-trust or trustless
sessions by utilizing the unused capacity of nearby
RGs within its wireless communication range
(RG hotspot). There are a total of N RGs in the
hotspot area. The VN can sense the current load Figure 3. Full authentication vs. mean session
of each RG from their beacons, and can only as- time (S)
sociate with an RG that is lightly loaded. An RG
is modeled as a two-state Markov chain where the
states of an RG alternate between heavily loaded
and lightly loaded. The time spent in each state is
exponentially distributed with means (L) selected
to obtain a given fraction of time an RG spends in
the heavily loaded state7.
If an RG switches its state from lightly loaded
to heavily-loaded while a VN session is in prog-
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
0
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
Access Control in Wireless Local Area Networks: Fast Authentication Schemes
5
EndnotEs In this section, RG, AP and wireless rout-
ers can be treated equally to mean wireless
1
Typically, the overall latency of handoffs AP-type devices not belonging in the same
should not exceed 50ms. domain, but to different domains.
6
2
For IEEE 802.11b, the coverage range is no In the interdomain handoff model, especially
more than 100-200 feet, as compared to the the trust-cloud model, the APs (or residential
cellular coverage area in cities which is around gateways-RGs, in the case of community
2640 feet, and more in the rural areas. networks) belong to different owners, and
3
Airespace later was acquired by Cisco Systems domains. APs and RGs are also used inter-
(Cisco Systems Web site) changeably here.
4
Funk Software has now been acquired by Lh
7
L= , where Lh and Ll are the mean values
Juniper Networks (Juniper Networks) Lh + Ll
for the sojourn times in the heavily and lightly
loaded states, respectively.
Chapter XLV
Security and Privacy in RFID
Based Wireless Networks
Denis Trček
University of Ljubljana, Slovenia
AbstrAct
Mass deployment of radio-frequency identification (RFID) technology is now becoming feasible for a
wide variety of applications ranging from medical to supply chain and retail environments. Its main
draw-back until recently was high production costs, which are now becoming lower and acceptable. But
due to inherent constraints of RFID technology (in terms of limited power and computational resources)
these devices are the subject of intensive research on how to support and improve increasing demands for
security and privacy. This chapter therefore focuses on security and privacy issues by giving a general
overviewofthefield,theprinciples,thecurrentstateoftheart,andfuturetrends.Ani
fieldofsecurityandprivacysolutionsforthiskindofwirelesscommunicationsisdesc
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Security and Privacy in RFID Based Wireless Networks
These appealing properties also have draw- A model of RFID environment is described in
backs, many of them in the area of security and Figure 1. It consists of tags (also called respond-
privacy.ButasRFIDisalreadyfindingitsers) place
and readers (also called transceivers). This is
in contemporary information systems (ISs), these the front-end of RFID applications, which have
issues need to be addressed seriously, which is the their back-end in database management systems,
goal of this chapter. In the second section, the back- where they are integrated with the rest of the IS
ground of RFID technology is given. In the third (see Figure 1). It is generally assumed that RFID
section, threats are described and countermeasures security and privacy is concerned with the front-
are given. In the fourth section anticipated future end part (the left-hand side of the dashed vertical
trends are discussed. There is a conclusion in the line in Figure 1). This is actually the part that is
fifthsection,whilethechapterendswith references
covered by the reader’s signal; the tag’s signal
andkeydefinitions. usually falls within its range.
Tags consist of a microchip and an antenna,
both encapsulated in polymer material. The micro-
bAckground ovErvIEw chip has encoded data, called identification (ID),
which typically include the manufacturer, brand,
Somedefinitionshavetobegivenfirst.One basic
model, and serial number. Communication takes
definitionintheareaofcomputercommunications) ( place on radio-frequencies, for example, from 125
security states that security means minimization kHz to 134 kHz for security cards and from 800
of vulnerabilities of assets and resources (ISO, MHz to 900 MHz for retail applications (Roussos,
1989). Wireless security thus means minimization 2006). However, increasing the frequency means
of vulnerabilities of assets and resources when increased accumulation of signal in bodies contain-
communicating information in electro-magnetic ing large quantities of water or in metal.
media through a free-space environment. Finally, Communication is achieved by electromagnetic
RFID technology will be defined as wireless coupling between readers and tags. A reader trans-
identificationtechnologywhichoperates onradio
mits a signal, which induces a voltage in the tag’s
frequencies and deploys low-cost ICs. antenna. This couplingprovidessufficientpower
tag's range
SECURE ENVIRONMENT
reader's range
Security and Privacy in RFID Based Wireless Networks
for a tag to respond (after performing some cal- 200 read operations per second. An algorithm to
culations if required). If a tag is powered through respond to read primitives from a reader may be
this coupling, it is called a passive tag. However, probabilistic (e.g., Aloha (Prasad & Rugierre, 2003)
if a tag has some source of energy, for example, or deterministic (e.g., a binary walking tree) (Juels,
a battery, it is called an active tag. Each type has Rivest, & Szydlo, 2003). With such algorithms, a
certain advantages and disadvantages. Passive tags singletagcanbeidentifiedandisolated.Therelat
are cheap, but remain active until being explicitly process is called singulation. Finally, the number
destroyed. They have a low operating perimeter of available gates that can be devoted to security
(typically 3 meters) with a relatively high error rate. operations is in the range of 400 to 4,000.
In contrast, active tags have a greater operating Theaboveestimatesarebasedonfiguresfrom
perimeter (up to a few hundred meters), lower er- Weis (2003) by applying Moore’ s law, which states
ror rate, and cease functioning when the source of that for the same price the available processing
powerisexhausted.However,theyaresignificantly power doubles every year and a half. It is therefore
more expensive. Both kinds of tags can be read clear that processing resources to support secu-
only, write once-read many, or rewritable. rity in RFID environments are very limited and
The main barrier to mass-deployment of RFID lightweight cryptographic solutions thus provide
tagsistheirprice.Awish-priceislimited byfive
an answer to this problem.
cents, but depending on quantities and using current Moore’s law also implies that there is always a
technologies, many application niches can already point where “ordinary” cryptographic algorithms
be covered. The total cost consists mainly of cost become feasible for computationally weak devices.
of an antenna, which can be from €/ US$1 to 0. An example of a thick RFID implementation, which
€/ US$ 20,. cost of silicon, and IC production;is based on AES to provide authentication, can be
silicon typically costs €/ US$2mm 0/4. (Weis, found in the work of Feldhofer, Dominikus, and
2003), while IC production depends on the number Wolkerstorfer (2004). Despite this, a permanent
of logical gates, that is, technology. But roughly, need exists for lightweight cryptographic protocols
thecostrangesfrom€/ US$mm / 5 20 . 2
with 1500 and also algorithms. One main reason is the gap
gates/mm2to€/ US$mm / 80 . 2
with 60.000 gates between ordinary devices where space and power
(Weis, 2003). consumption are not a serious concern (e.g., tag
A typical communication channel with a pas- readers, desktop systems), and weak devices with
sive RFID is asymmetric. This means that forward limited space and power consumption (e.g., RFID
communication, that is, communication from a tags, smart-cards). This gap means that increased
reader to a tag, has one order of magnitude larger processing power affects both kinds of devices
in range than backward communication, that is, equally; in the case of a cryptographic algorithm,
from the tag to the reader. In the former case this the key-length of this algorithm is extended.
is typically up to 100 meters, while in the latter As a consequence, weak devices are again less
case this is typically up to 3 meters. The reason, protected because they cannot deploy such inten-
of course, is the power consumption constraint, sive computations with enlarged keys. Further, if
which means that practical applications are limited the above use of a cryptographic algorithm can be
to a range of up to 3 meters. seen as a kind of variable cost (the longer the key,
Thus, the cost factor dictates that a typical RFID, the higher the processing overhead), cryptographic
or a reference RFID implementation, is currently protocolscanbeseenasafixedcost.Note - thatcryp
expected to have the following characteristics. It tographic protocols are ordinary communication
is passively powered and has 96 bits of read-only protocols that deploy cryptographic algorithms,
memory. These standardized bits serve to carry the and cryptographic protocols are often referred to
tag’s identity, which is unique for each tag (these as security services, while cryptography algorithms
IDs are stored in silicon by an imprinting process). are referred to as security mechanisms. Both kinds
A chip operates at 20,000 clock cycles, providing of costs contribute to the total processing power
Security and Privacy in RFID Based Wireless Networks
requirements, and have to be kept low while at the estimated damage D(ai, tj) caused by interaction
same time enabling a comparable level of security between asset ai and threat tj during this period is
to weak devices. This leads to a whole new research calculated. The result presents the upper bound for
area (Juels, 2004). investment in safeguards. A certain degree of risk,
called residual risk, is usually accepted and taken
rfId threats and countermeasures into account. This often makes sense economi-
cally. But in the majority of cases, a threat cannot
The very basic threat to each and every tag is that becompletelyneutralized(Trček,.026)
it remains active when it is no longer supposed to The challenging parts of this process are
be active. To counter this problem, RFID logic identificationofthreatsandtheirprobabilit
may implement kill operation, which means that identification of threats in RFID environments a
upon receipt of a certain communication primitive, comprehensive taxonomy from Garfinkel, Juels,
the tag becomes permanently inoperative by, for andPappucan ) 05 2 ( beused.Thefirstfourthreats
example, blowing a fuse in its circuitry. A more are related to corporate security, and the rest to
bullet-proof solution is exposure of RFID to micro- personal privacy:
wave radiation that melts its metalized layer.
Risk management drives each and every pro- • Corporate espionage threat: Tagged prod-
vision of security and privacy in ISs. A typical ucts may enable remote acquisition of supply
process is depicted in Figure 2. It starts with the chain details like logistics details, volumes,
identificationof A assets
(A = {a1, a2, …, an}) and and so forth.
threats T (T = {t1, t2, …, tm}) to those assets. For • Competitive marketing threat: Tags may
each asset and threat, that is, Cartesian product A enable access to customers’ preferences and
× T = {(a1, t1), (a1, t2), …, (an, tm)}, related vulner- use the data gathered for competition.
abilitiesareidentifiedtogetherwith • the likelihood
Infrastructure attacks threat: Where
of a threat to get into interaction with the asset RFID is central to a competitor’s advantage;
during a certain period of time. On this basis, the disruption of RFID operations becomes an
important point for attack.
Security and Privacy in RFID Based Wireless Networks
• Trust perimeter threat: Gathering addition- may be used for smart-home applications or to
al volumes of data through RFID introduces help disabled people.
new challenges related to sharing information The most common approach to security and
in a trustworthy way. privacy is by deploying cryptography. Using
• Action threat: Individuals actions may be cryptographic mechanisms (e.g., symmetric and
monitored. asymmetric cryptographic algorithms, strong one
• Association threat: When tagged products way hash functions), the following cryptographic
are associated with an individual’s ID (e.g., services can be implemented (ISO, 1995):
loyalty programs), these persons can be as-
sociated not only with the type of product, • Authentication: This ensures that the peer
but with the exact product, due to its unique communicating entity is the one claimed.
ID. • &RQ¿GHQWLDOLW\ This prevents unauthorized
• Location threat: Tags can be triggered by disclosure of data.
covert readers at various locations to reveal • Integrity:7KLVHQVXUHVWKDWDQ\PRGL¿FDWLRQ
a person’s location. insertion, or deletion of data is detected.
• Preference threat: Tags disclose preferences • Access control: This enables authorized use
of customers and help to identify, for example, of resources.
more wealthy ones. • Nonrepudiation: This provides proof of
• Constellation and transaction threats: Con- origin and proof of delivery, such that false de-
stellation threat is similar to location threat, nying of the message content is prevented.
but in this case the identity of a customer is • Auditing: This enables detection of suspi-
not known. Despite this, a particular person cious activities and analysis of successful
can be spotted and traced. Further, chaining breaches. It provides evidence when resolving
one constellation threat with another, a whole legal disputes.
chain of actions, or transactions, becomes
traceable. ,QFDVHRI5),’WDJVDXWKHQWLFDWLRQFRQ¿GHQ -
• Breadcrumb threat: When products are tiality, and access control can be applied to counter
disposed with their original tags, an attacker threats described at the beginning of this section.
PD\XVHWKHPDQGLVWUDFNHGZLWKIDOVL¿HG But to make these security services operational,
identity. This is actually just another kind of key management (i.e., handling of cryptographic
identity theft. DOJRULWKPV¶NH\VKDVWREHUHVROYHG7UHN
This is a complex issue in open environments
On top of all this, a fundamental threat exists, and has been known as such for almost two de-
called tag cloning, and such cloning has been suc- FDGHV6XI¿FHLWWRVD\WKDWRQO\YHU\VLPSOHNH\
FHVVIXOO\GHPRQVWUDWHG%RQR*UHHQ6WXEEOH¿HOG management schemes are acceptable for RFID
Juels, Rubin, & Szydlo, 2005). What countermea- environments.
VXUHVDUHDWRXUGLVSRVDO" With regard to security and privacy, it is re-
The basic option was mentioned at the begin- quired that authentication, and consequently access
ning with the physical destruction of a tag (e.g., control, is provided only to legitimate readers.
by exposure to microwaves or implementation of a Further, rogue readers should not be disclosed a
logical kill command that makes chip inoperable). tag’s ID, but should also be prevented from trac-
But the fact is that the latter approach often has ing a tag, regardless of the inaccessibility of its
DZVLQLPSOHPHQWDWLRQVORJLFDOO\NLOOHGWDJVPD\ ID. Put another way, when rogue readers interact
remain active or be reactivated (Roussos, 2006). with a tag, it should be practically impossible (i.e.,
,QPDQ\VLWXDWLRQVLWPLJKWEHHYHQEHQH¿FLDOWR FRPSXWDWLRQDOO\ GLI¿FXOW WR OLQN WKH PXOWLSO
keep these tags active; for example, tagged items manifestations of a tag to this very tag.
Index
Index
Index
10
Index
11
Index
wireless multimedia, and encryption algorithms wireless transport layer security (WTLS) 328,
239 368
wireless multimedia, and watermarking algo- wireless wardriving 61–77
rithms 245 wireless wide area network (WWAN) 347
Wireless network 209 WLAN 721
wireless network 189 WLAN-access gateway (WLAN-AG) 298
wireless network, and authentication 193 WLAN-access point name (W-APN) 299
Wireless Networks 721 WLAN authentication and privacy infrastruc-
wireless networks, and security challenges 130 ture (WAPI) 210
wireless networks, and threats in 79 worldwide interoperability for microwave ac-
wireless networks, and vulnerabilities 129–144 cess (WiMAX) 776
wireless networks, channel jamming 130 worm, Cabir 4
wireless networks, illicit use of 81 worm, Mabir 5
wireless networks, intrustion and anomaly wormhole attack 419, 644
detection in 78–94 wormhole attacks 648
wireless networks, passive scanning 81
wirelessnetworks,serviceset- identifier X detec
tion 81 XMLconfigurationaccessprotocol(XCAP)
wirelessnetworks,sniffing81 391
wirelessnetworks,spoofing82 XML document management (XDM) 390
wirelessnetworks,traffic 130analysis
wireless networks, unauthorized access 130 Y
wireless routing protocols 504
Yao graph (YG) 656
Wireless security 724
Wireless Sensor Network (WSN) 209 Z
Wireless sensor networks (WSN) 628
wireless sensor networks (WSN) 617 zone-based IDS (ZBIDS) 425
wireless sensor networks (WSNs) 565
wireless service access, and identity manage-
ment 104–114
12
Security and Privacy Approaches for Wireless Local and Metropolitan Area Networks (LANs & MANs)
Medium Access Control (MAC): The function (IETF) that set standards and are voluntarily fol-
in IEEE networks that arbitrates use of the network lowed by many makers of software in the Internet
capacity and determines which stations are allowed community.
to use the medium for transmission.
Wireless Application Protocol (WAP): A
MPDU: MAC protocol data unit is a fancy standard for providing cellular telephones, pagers,
name for frame. The MPDU does not, however, and other handheld devices with secure access
include PLCP headers. to e-mail and text-based Web pages. Introduced
in 1997 by Phone.com, Ericsson, Motorola, and
MSDU: MAC service data unit is the data ac-
Nokia, WAP provides a complete environment
cepted by the MAC for delivery to another MAC on
for wireless applications that includes a wire-
the network. MSDUs are composed of higher-level
less counterpart of TCP/IP and a framework for
data only. For example, an 802.11 management
telephony integration, such as call control and
frame does not contain an MSDU.
telephone book access. WAP features the wireless
OFDM: Orthogonal frequency division multi- markup language (WML), which was derived from
plexing is a technique that splits a wide frequency Phone.com’s HDML and is a streamlined version
band into a number of narrow frequency bands of HTML for small-screen displays. It also uses
and inverse multiplexes data across the subchan- WMLScript, a compact JavaScript-like language
nels. Both 802.11a and the forthcoming 802.11g that runs in limited memory. WAP also supports
standards are based on OFDM. handheld input methods, such as a keypad and voice
recognition. Independent of the air interface, WAP
Open Systems Interconnection (OSI): A runs over all the major wireless networks in place
baroque compendium of networking standards now and in the future. It is also device-indepen-
that was never implemented because IP networks dent, requiring only a minimum functionality in
actually existed. the unit to permit use with a myriad of telephones
Request for Comments (RFC): A series of and handheld devices.
numbered documents (RFC 822, RFC 1123, etc.),
developed by the Internet Engineering Task Force
Chapter XLVII
End-to-End (E2E) Security
Approach in WiMAX:
A Security Technical Overview for
Corporate Multimedia Applications
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
University of Waterloo, Canada
Tom Tofigh
WiMAX Forum, USA
AbstrAct
An overview of the technical and business aspects is given for the corporate deployment of services
over worldwide interoperability for microwave access (WiMAX). WiMAX is considered to be a strong
candidate for the next generation of broadband wireless access; therefore its secur
chapterprovidesanoverviewoftheinherentandcomplementarybenefitsofbroadbandde
a long haul wireless pipe, such as WiMAX. In addition, we explore end-to-end (E2E) security structures
necessary to launch secure business and consumer class services. The main focus of this chapter is to
look for a best security practice to achieve E2E security in both vertical and horizontal markets. The E2E
security practices will ensure complete coverage of the entire link from the client (user) to the server. This
is also applicable to wireless virtualprivatenetwork(VPN)applicationswherethetunnelingmec
between the client and the server ensures complete privacy and security for all users. The same idea
for E2E security is applied to client-server-based multimedia applications, such as in Internet protocol
(IP)multimediasubsystem(IMS)andvoiceoverIP(VoIP)wheresecureclient/servercommunicatio
required. In general, we believe that WiMAX provides the opportunity for a new class of high data rate
symmetric services. Such services will require E2E security schemes to ensure risk-free high data-rate
uploads and downloads of multimedia applications. WiMAX provides the capability for embedded security
functionsthroughthesecurity 802.16 architecturestandards.IEEEis 802.16 furthersubcategorize
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
End-to-End (E2E) Security Approach in WiMAX
802.16d(fixed-WiMAX)and802.16e(mobile-WiMAX)Due
. tothemobilityandroamingcapabilitiesin
802.16eandthefactthatthemediumofsignaltransmissionisaccessibletoeveryone,there
extrasecurityconsiderationsappliedto802.16e.Theseextrafeaturesinclude:privacykeyma
version 2 (PKMv2), PKM-extensible authentication protocol (EAP) authentication method, advanced
encryptionstandard(AES)encryptionwrapping,andsoforth.Thecommonsecurityfeaturesof802.16d
and802.16earediscussedinthischapter,aswellasthehighlightsofthesecuritycomparison
other broadband access, third-generation (3G) technologies, and WiMAX.
End-to-End (E2E) Security Approach in WiMAX
why wireless networks could not Without WEP, a network can be accessed by any
Provide the required security anyone. Even with WEP enabled, a network is not
considered to be secure nowadays.
There were two main reasons why wireless was
never considered as a secured high-performance Problem #4: Performance and Service Con-
backbone option for business and corporate appli- straints
cations.Thefirstissuewasthebandwidth - 802.11blimita
and 802.11g both have limited transmission
tions of wireless links and the second issue was capacities (11 and 54 Mbps) and due to MAC-layer
the high security requirements of VPNs and IMS overhead, the actual effective throughput is close
applications. The 802.11-based systems have an to half of that rate. In addition, bandwidth is not
upper limit on bandwidth of 54 Mbps for 802.11g, guaranteed.
however in real-world applications, this rate seldom
tops more than 20-25 Mbps due to the overhead Problem #5: MAC Spoofing and Session Hi-
in the medium access control (MAC) layer. It is jacking
alsoverydifficulttohaveaminimumguaranteed 802.11 networks do not authenticate frames and
bandwidth for real-time applications such as VoIP there is no protection against a forgery of the
and videoconferencing. frame source address attack. Here, attackers can
The current Wi-Fi security standard is presented usespoofedframestoredirecttrafficandcorrupt
ini,
1 2.08 whichcontainsmanyfixesforthesecu - address resolution protocol (ARP) tables. Station
rity concerns in 802.11. However 802.11i has not MAC addresses could easily be observed and en-
been widely implemented and distributed among gaged in malicious transmissions. Any user with
end-users and WiMAX is expected to dominate a strong transmitter can be situated in the middle
the market before 802.11i can affect the market. of a new session and potentially steal credentials
Therefore the main security comparisons are and gain access through a man-in-the-middle
between Wi-Fi (802.11a/g) and 802.16. The main (MITM) attack.
reasons for this weakness can be categorized as
follow (Gast, 2004): Problem #6: Traffic Analysis and Eavesdrop-
ping
Problem #1: Easy Access 802.11 is totally vulnerable to passive attacks. There
Since Wi-Fi networks generate beacon frames is no security of the header information, thus, no
containing the network parameters all of the time, protection against eavesdropping. Frame headers
attackers with high gain antennas - can
are find net
always “in the clear” and sender-receiver pairs
works and launch attacks. With the inherent and are vulnerable totrafficanalysis.
add-on security features, WiMAX is expected to
be resilient against such attacks. Problem #7: Higher Level Attacks
Once an attacker gains access (either through
Problem #2: “Rogue” Access Points session-hijacking, MITM, spoofing attacks, or
Anyone can have access to an inexpensive access through breaking the WEP secure key), it is pos-
point (AP) and get connected to a corporate network sible to use that AP to launch attacks on other
and bypass authorization. In WiMAX networks, systems, which are within the trusted domain of
an E2E security scheme can protect APs against the initially attacked AP.
such a scenario.
The main reason for the failure of security in
Problem #3: Unauthorized Use of Service wireless networks is the fact that there are many
Nearly all APs have default configurations with
weaknesses in the mechanisms and protocols used
wired equivalent privacy (WEP) or with a default in the architecture.
key used in WEP by all the vendor’s products.
End-to-End (E2E) Security Approach in WiMAX
0
End-to-End (E2E) Security Approach in WiMAX
FigureIEEE 1. lower
802.16 layers(Adaptedfrom to authenticate itself to the BS, which poses
"Part16,"204) a risk for a MITM attack. To overcome this
issue, PKMv2 was proposed (later adopted
by 802.16e), which uses a mutual (two-way)
authentication protocol. Here, both the SS
and the BS are required to authorize and
authenticate each other
• Privacy and key management: The privacy
of the communications between the SS and
the BS is achieved through the PKM proto-
entities; namely BS and subscriber station (SS), is col. Phifer, L 2. (2003, September). Applying
done at the MAC layer through security sublayer, RADIUS to Wireless LANs, using RADIUS
whichhasfiveentitiesChandra, ( : ) 02 For WLAN Authentication, Part I, from
http:www./ wi-fiplanet.com/tutorials/article.
• Security associations: A security asso- php/10724_3114511_1
ciation (SA) is a set of security information • Encryption: The data communication be-
parameters that a BS and one or more of its tween each SS and BS is encrypted using the
client SSs share in order to support secure advanced encryption standard (AES), with at
communications. Three types of SAs are de- least 128 bit keys. According to FIPS 140-2,
finedasJohnston
( Walker,
& )024 primary, AES-128 is computationally secure for data
static, and dynamic(Figurewhich
,) 2 define up to SECRET level for the next 10 years.
the security keys and associations established
between a SS and a BS during the authoriza-
tion phase. According to the initial drafts of WiMAX,
• X.509 certificate profile: This defines a the security sublayer provides enough security
digital certificate to verify the identity mechanisms to provide
of privacy, authentication,
subscribers and prevents impersonation and encryption over the airlink. However, in
(unauthorized SS or BS) order to achieve maximal security strength, true
• PKM authorization: The privacy key man- end-to-end security is required for a corporate
agement (PKM) protocol is responsible for wireless backbone, which enhances the security
privacy, key management, and authorizing an mechanismsspecifiedbytheinitialdrafts.
SS to the BS. The initial draft for WiMAX
mandates the use of PKMv1 (Johnston & security at upper layers
Walker, 2004), which is a one-way authenti-
cation method. PKMv1 requires only the SS IEEE 802.16’s main focus on the security issue
is at the MAC layer, therefore WiMAX has the
Figure2.Securitymodeloftheprivacysublayer(AdaptedfromBarbeau,205)
End-to-End (E2E) Security Approach in WiMAX
• ES
Lawful
1: 7 6 1 02 InterceptionLI)( Telecom-
; The IETF believes that designed mechanisms,
municationsSecurity;HandoverInterface which facilitate
for or enable wiretapping, or methods
the Lawful Interception of Telecommunica- of using other facilities for such purposes, should
tionsTrafficrevised ( version). be described openly, so as to ensure the maximum
• ES: 8Lawful
51 0 2 Interception (LI); Tele - review of the mechanisms and to ensure that they
communicationsSecurity;Requirements adhere asforclosely as possible to their design con-
Network Functions straints. This is considered by Cisco (Figure 3) for
End-to-End (E2E) Security Approach in WiMAX
Figure3.Lawfulinterceptarchitecturereferencemodel(AdaptedfromMulholland,206)
End-to-End (E2E) Security Approach in WiMAX
IMS works: session initiations between two IMS (client/server), as well as in IMS/WiMAX applica-
users, between an IMS user and a user on the tions, including (Ramana Mylavarapu, 2005):
Internet, or between two users on the Internet.
IMS uses similar protocols for such initiations. • Client impersonation (unauthorized client
Furthermore, service developers use IP protocol seeks access)
stack for the interfaces, which is why IMS can • Server impersonation (unauthorized server
truly merge the Internet with the cellular world. pretend to be authorized)
This merge is done by using the cellular and mobile • Message tampering (additions, deletions, or
technologies, which provide ubiquitous access and delay of the message contents)
Internet connections, which provides appealing • Session tampering/hijacking (once the ses-
services. Accordingly, WiMAX enjoys one of the sion between a legitimate client and server
most enhanced cellular technologies, which could is established, an unauthorized entity takes
workinthemostefficientmethoddelivering IMS
the session)
data and applications. • Signaling requests resulting in DoS attacks
In regards to the IMS security requirements,
WiMAX security mechanisms are there to ensure To protect against any of the aforementioned
all communicating parties, which gain access to vulnerabilities, an extensive two-way authentica-
the media, are legitimate and all parties wishing to tion method is used to ensure both the client’s and
gain access are thoroughly authenticated through the server’s right of access and the establishment
the authentication and authorization protocols. This of IPSec security associate with the IMS terminal.
has to be done before any access is permitted. An This prevents the mentioned vulnerabilities as well
ongoing mutual authentication mechanism ensures as snooping attacks and replay attacks and to protect
no illegitimate entity can highjack a session and the privacy of every individual user.
abduct an already authenticated link and take over Security issues in regards to SIP could also be
the communications at any points. summarized as follow (Access security for IP-based
IMSisdesignedtoworkoneitherfixedorservices, mobile2002):
systems. Since WiMAX offers most of the advan-
tagesoffixednetworks,itisexpectedthat • IMSis mechanism of SIP signaling be-
Protection
going to be offered on a pure WiMAX backbone tween the IMS server and the subscriber
to address corporate and end-user requirements. • Subscriber’s self authentication mechanism
The fact that WiMAX is based on an all-IP core • Subscriber’s authentication mechanism to
structure makes it a perfect match for IMS, with its the IMS server
so many IP-based services in use. These services
include voice over IP (VoIP), push to talk over The reactive and proactive security measures
cellular (POC), multiparty games, videoconfer- are the encryption/decryption of SIP messages and
encing, messaging, community services, presence deploying interconnection border control function
information, and content sharing. (IBCF). IBCF is used as a gateway to external
networks and provides network address translation
security of voIP ( NAT)andfirewallfunctions(Mylavarapu,,)052
two-way authentication-authorization schemes,
One of the most important applications of IMS is and secure tunneling.
the VoIP that runs over the standard IP. A VoIP To enhance the deployment of IPSec, it is recom-
system uses protocols, such as, H.323, MGCP, mended to deploy IPv6 (Saito, 2003), which is the
MEGACO, and/or session initiation protocol (SIP) next generation Internet protocol. The important
for signaling, and real time protocol/real time factor of IPv6 is its mandate for utilizing IPSec.
control protocol (RTP/RTCP) for media transport Using a two-way IPSec connection (two one-way
and control. The threats for this type of scenario IPSec patterns) is required for an end-to-end se-
curity scheme (Saito, 2003).
End-to-End (E2E) Security Approach in WiMAX
End-to-End (E2E) Security Approach in WiMAX
End-to-End (E2E) Security Approach in WiMAX
End-to-End (E2E) Security Approach in WiMAX
Brown, I. (2006). The Internet standards process. Mylavarapu, R. (2005, August 1). Security consid-
Retrieved October 23, 2007, from http://www. erations for WiMAX-based converged network.
cs.ucl.ac.uk/staff/I.Brown/infosoc-course/inter- RFDESIGN.
netstandards.ppt
Part 16: Air Interface for Fixed Broadband Wireless
Chandra, P. (2002, July 30). Securing WLAN links: AccessSystems,IEEEStd4026 - 1 .208 (http://stan-
Part 3. Telogy networks. Retrieved October 23, dards.ieee.org/getieee802/download/802.16-2004.
2007, from http://www.CommsDesign.com pdf)
Gast, M. (2004). The top seven security problems Product Overview. (2006). Citrix GoToMyPC
of 802.11 wireless (Airmagnet technical white corporate. Retrieved October 23, 2007, from
paper). https://www.gotomypc.com/downloads/pdf/m/
GoToMyPC_Corporate_Product_Overview.pdf
Johnston, D., & Walker, J. (2004). Overview of
IEEE 802.16 security. International Journal. Saito, Y. (2003, December). IPv6 and new security
paradigm. NTT communications.
Mulholland, C. (2006, February 8). Cisco systems
lawful intercept capabilities. TechnicalSpecificationGroupServices - andSys
tem Aspects; G3 Security; Access security for
IP-based services (Release 5). ARIB STD-T63-
33.203, 2002-06
Chapter XLVIII
Evaluation of Security
Architectures for Mobile
Broadband Access
Symeon Chatzinotas
University of Surrey, UK
Jonny Karlsson
Arcada University of Applied Sciences, Finland
Göran Pulkkis
Arcada University of Applied Sciences, Finland
Kaj Grahn
Arcada University of Applied Sciences, Finland
AbstrAct
During the last few years, mobile broadband access has been a popular concept in the context of fourth
generation (4G) cellular systems. After the wide acceptance and deployment of the wired broadband
connections, such as DSL, the research community in conjunction with the industry have tried to de-
velop and deploy viable mobile architectures for broadband connectivity. The dominant architectures
which have already been proposed are Wi-Fi, universal mobile telecommunications system (UMTS),
WiMax,andflash-orthogonalfrequencydivisionmodulation(OFDM)In . thischapter,weanalyzethe
protocols with respect to their security mechanisms. First, a detailed description of the authentication,
confidentiality,andintegritymechanismsisprovidedinordertohighlightthemajors
threats. Subsequently, each threat is evaluated based on three factors: likelihood, impact, and risk.
The technologies are then compared taking their security evaluation into account. Flash-OFDM is not
includedinthiscomparisonsinceitssecurityspecificationshavenotbeenrelease
future trends of mobile broadband access, such as the evolution of WiMax, mobile broadband wireless
access (MBWA), and 4G are discussed.
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Evaluation of Security Architectures for Mobile Broadband Access
0
Evaluation of Security Architectures for Mobile Broadband Access
In this context, Wi-Fi alliance is an organiza- erate totally independently from each other (Baek,
tion testing products in order to evaluate that they Smith, & Kotz, 2004). The authentication process
correctlyimplementthesetofstandards of WPA defined
and WPA2 inadopts the three-entity model
theIEEEspecification.
1 2. 0 8 Aftertheproducts of IEEE 802.1x which was originally designed for
have successfully passed these tests, they are al- the point-to-point protocol (IEEE, 2001). The three
lowed to use the Wi-Fi logo. entities involved in this protocol are the client, the
access point (AP), and the authentication server
security Architecture (AS). First, the client request to obtain access to
the network. The AP acts as a network guard, al-
Wi-Fi security standards include wired equivalent lowing access only to the clients that the AS has
privacy (WEP), Wi-Fi protected access (WPA), and authenticated. Finally, the AS is responsible for
WPA2WEP
. wasthefirstintroducedsecurity - stan
deciding whether the client is allowed to access
dard. WPA was designed to be a security protocol the network. These three entities utilize EAP to
thatcorrectsthesecuritydeficiencies ofWEPcommunication
exchange and messages in order to
to be backward compatible with existing hardware. coordinate the authentication process (Stanley,
The last development in Wi-Fi security is the WPA2 Walker, & Aboba, 2005).
standard which was published in June 2004 by In addition, there is a lighter version of WPA,
the IEEE 802.11i group. WPA2 was designed to called WPA-preshared key (WPA-PSK). This ver-
offer a further improved security scheme (Edney sion is based on a shared secret key or passphrase
& Arbaugh, 2003). The aforementioned security in order to authenticate the wireless clients. As
specifications are analyzed and compared inan
a result, theattacker can use a wireless sniffer to
following paragraphs. capture the 4-way WPA handshake, log the packets,
and then try a brute force attack using a dictionary
Authentication file (Van de Wiele,.)052Thus, if WPA-PSK is
deployed, the robustness of the network security
Authentication services are utilized to allow a cli- totally depends on the length and the complexity
ent to communicate with the serving access point. of the secret key.
After successful authentication, a session is initi-
ated and it can be terminated by either the client Encryption
or the access point. Wi-Fi provides the following
link-layer authentication schemes: Encryptionservicesareutilizedto - provideconfi
dentiality over wireless communication links. In
• Closed system authentication Wi-Fi networks the following encryption schemes
• Mediaaccesscontrol(MAC)filteringare available:
• WEP suthentication—Shared RC4 key
• W PA a nd W PA 2 aut he nt icat ion — • WEP based on the RC4 (Ron’s Code 4) stream
802.1X/extensible authentication protocol cipher
(EAP) • WPA encryption based on the temporal key
integrity protocol (TKIP)
Closedsystemauthentication,MAC • filtering,
WPA2 encryption based on the advanced
and WEP authentication are not recommended due encryption standard (AES)
totheirwell-knownserioussecurityaws fl (Borisov,
Goldberg, & Wagner, 2001; Lynn & Baird, 2002; WEP is a weak implementation of the RC4
Welch & Lathrop, 2003). stream cipher and WEP encryption is thus not
WPA and WPA2 security schemes have some recommended(Borisovetal.;Stubblefield, 1 0, 2
major design differences from WEP, since the Ioannidis, & Rubin, 2002; Welch & Lathrop,
authenticationandtheconfidentiality - 2003).processesop
Evaluation of Security Architectures for Mobile Broadband Access
WPA encryption is based on TKIP. It incor- plaintext in such a way that the checksum remains
porates the basic functionalities of WEP, but im- unchanged. Furthermore, due to the linearity of
provements have been made to address the security both the RC4 stream cipher and the CRC-32 check-
aws.
fl Thelengthoftheinitializationvector (IV)
sum, the attacker is able to change the message
has been increased from 24 bits to 48 bits and even when he does not know the plaintext (Welch
therefore the possibility of reused keys has been & Lathrop, 2003).
significantlydecreased.Furthermore,WPAWPA doeshas incorporated mechanisms for the
not directly utilize the master keys. Instead it con- preventionofreplayattacks.Morespecifically,the
structs a hierarchy of derived keys to be utilized in TKIP sequence counter (TSC) based on the IVs
the encryption process. Finally, WPA dynamically is utilized, so that the receiver can identify and
cycles keys while transferring data. Since keys are reject “replayed” messages. Furthermore, WPA
regularly changed, a malicious user has a very short uses an improved integrity mechanism in order
time window to attempt an attack. to generate the message integrity check (MIC).
WPA2 was designed from scratch taking the This mechanism, called Michael, is able to detect
vulnerabilities of the previous security architec- possible attacks and deploy countermeasures to
tures into account. WPA2 allows various network prevent new attacks.
implementations, but the default configuration WPA2 utilizes CCMP for providing integrity
utilizes the advanced encryption standard (AES) services. CCMP generates a MIC using the CBC-
and the counter mode CBC MAC protocol (CCMP). MAC method. In this method, even the slightest
AES is a block cipher, operating on blocks of 128 change in the plaintext will produce a totally dif-
bit data, and is a replacement of the RC4 algorithm ferent checksum.
used by WPA. AES is much more robust since it
has already been tested in various security archi- security vulnerabilities
tectures without revealing serious vulnerabilities.
CCMP comprises of two main parts. The first is the Wi-Fi security architecture has been
Although
the counter mode (CM) which is responsible for greatly improved since WEP, there are still vul-
the privacy of the data in combination with AES. nerabilities which cannot be addressed by WPA2.
The second is the cipher block chaining message These vulnerabilities can lead to a number of link
authentication code (CBC-MAC) providing data layer denial-of-service (DoS) attacks (Van de
integrity checking and authentication. Wiele, 2005). All the DoS techniques described
here are fairly easy to use with freely available tools
Integrity found on the Internet. In most of the cases, the at-
tacker will use different forged MAC addresses to
Integrity services are responsible for making mount DoS attacks. These attacks can be detected
sure that transmitted information is not replayed by specialized hardware (e.g., air monitor, security
or modified during transmission. The following aware access point) which can detect the misuse of
techniques are applicable in Wi-Fi networks: the infrastructure. Furthermore, this specialized
hardware can notify the people responsible for the
• WEP cyclic redundancy heck 4 (CRC-32) follow-up of a DoS incident and give an estimate
Checksum on where the attacker is located by considering the
• WPA Integrity signal and noise levels.
• WPA2 Integrity
Disassociation Storm
WEP checksum is a noncryptographic linear
function of the plaintext. This means that multiple Before any wireless communication can occur, a
messages may correspond to a single 32-bit number. client has to send an association frame to the ac-
Hence, an experienced intruder could modify the cess point asking to join the network. Similarly,
Evaluation of Security Architectures for Mobile Broadband Access
after the end of the wireless session, the access packet-switched case. The visitor location regis-
point or client has to send a disassociation frame ter (VLR) and the serving GSN keep track of all
to terminate the connection. The frames of these mobile stations that are currently connected to
messages are broadcasted and can be sniffed by an the network. Every subscriber can be identified
attacker.Theattackercanthenood fl the
by itsnetwork
international mobile subscriber identity
with spoofed disassociation frames every time the (IMSI). In order to protect against profiling - at
client tries to join the network, thus disrupting the tacks, this permanent identifier is sent over t
association process and the network access. air interface as infrequently as possible. What is
more, locally valid temporary mobile subscriber
Authenticated / Deauthenticated Storm identities (TMSI) are used to identify subscribers
whenever possible. Every UMTS subscriber has a
The aforementioned principle can be exploited in dedicated home network with which the subscriber
order to disconnect a client and try to keep the cli- shares a long term secret key Ki. The home location
ent disconnected. This technique starts by sending register (HLR) keeps track of the current location
a spoofed deauthentication frame followed by a of all subscribers of the home network. Mutual
disassociation frame in order to make sure that the authentication between a mobile station and a
client has disconnected from the legitimate access visited network is carried out with the support of
point. In a more advanced version of this attack, the current serving GSN (SGSN) or the mobile
a fake probe request and some beacon frames are switching center (MSC)/VLR respectively.
transmitted in order to force the client to connect The new series of 3.5G mobile telephony
to a rogue access point which ignores or monitors technologies, known as high speed packet access
theclient’straffic. (HSPA), will provide more bandwidth to the end-
user, improved network capacity to the operator,
uMts and enhanced interactivity for data applications.
HSPA refers to the improvements made in the
Universal mobile telecommunications system UMTS downlink, known as high speed downlink
(UMTS) is one of the third generation (3G) wire- packet access (HSDPA), and the UMTS uplink,
less cellular technologies for mobile communica- usually referred to as high speed uplink packet
tion. Mobile devices like smartphones, laptops, access (HSUPA) but also referred to as enhanced
and handheld computers can be used. UMTS is dedicated channel (E-DCH).
standardized by the 3G partnership project (3GPP) HSDPA provides a bandwidth of 14.4 Mbps/
and it is mainly deployed in Europe and Japan. user. For multiple-input-multiple-output (MIMO)
Theoretically UMTS supports up to 1920 Kbps systems up to 20 Mbps can be achieved. Both
data transfer rates, but currently the real world per- HSDPA and HSUPA can be implemented in
formance can reach 384 Kbps. It uses the W-code the standard 5 MHz carrier of UMTS networks
division multiple access (CDMA) technology over and can coexist with original UMTS networks.
two 5 MHz channels, one for uplink and one for As HSPA specifications refer only to the access
downlink.Thespecificfrequencybandsoriginally network, there is no change required in the core
definedbytheUMTSstandardareMHz 5 20 - 8 1 network (CN) except from the high data-rate links
for uplink and 2110-2200 MHz for downlink. required to handle the increase in clients’ tr
In UMTS network topology, a mobile station generated by HSPA.
is connected to a visited network by means of a
radio link to a particular base station (Node B). security Architecture
Multiple base stations of the network are con-
nected to a radio network controller (RNC) and The 3G security architecture is based on GSM, but
multiple RNCs are controlled by a general packet certain improvements are added in order to correct
radio service (GPRS) support node (GSN) in the the described security vulnerabilities.
Evaluation of Security Architectures for Mobile Broadband Access
Security Vulnerabilities
G3 securityhasbeensignificantlyimproved - com
pared to GSM. However, there are still vulnerabili-
ties related to the backwards compatibility with
GSM. Meyer and Wetzel (2004a, 2004b) present
a man-in-the-middle attack which can be mounted
even if the subscriber utilizes a 3G enabled device
within a 3G base station coverage. The described
attack goes far beyond the anticipations of the
3GPP group. UMTS subscribers are vulnerable
Evaluation of Security Architectures for Mobile Broadband Access
to what 3GPP calls a “false base station attack” to obtain a valid authentication token AUTN from
even if subscribers are roaming in a pure UMTS any real network. It is assumed that the attacker
network and even though UMTS authentication has already retrieved the IMSI of the targeted
is applied. subscriber, since the latter is sent in clear-text
This attack can be categorized as a “roll-back when establishing a TMSI. The attacker can cap-
attack.” This category of attacks exploits weak- ture the AUTN by initiating the AKA procedure
nesses of old versions of algorithms and protocols with any legitimate network. The next step is to
by means of the mechanisms defined to ensure impersonate a valid GSM base station to the victim
backward compatibility of newer and stronger mobile station. The mobile station connects and
versions. According to this technique, the attacker verifies the rogue BS, since it possesses a valid
acts on behalf of the victim’s mobile station in order AUTN.Subsequently,therogueBSisconfigured
Evaluation of Security Architectures for Mobile Broadband Access
by the attacker to utilize “no encryption” or weak • Authentication: The baseline authentication
encryption. Finally, the attacker can send to the architecture, by default, employs a public
mobile station the GSM cipher mode command key infrastructure (PKI) based on X.509
including the chosen encryption algorithm. The certificates. The
base station (BS) validates
man-in-the-middle attack is mounted and the the client’s certificate before permitti
attacker can use passive or active eavesdropping access to the physical layer (see Figure 3).
without being detected. First, the subscriber station (SS) sends to the
BS an authorization request containing the
certificate,theavailablesecuritycapabilit
wIMAx and the securityassociationidentifierSAID) ( .
TheBSverifiesthecertificateandgeneratesa
The IEEE 802.16 or broadband wireless access 128 bit authentication key (AK). Then, the BS
(BWA) Working Group was established in 1999 sends to the SS an authorization reply, which
to prepare specifications for broadband wireless contains the AK encrypted with SS’s public
metropolitanareanetworks.Thefirst - stan
6 1 2. 0 8 key, the AK’s lifetime, the selected security
dard was approved in December 2001 and was suite, and an AK sequence number. The SS
followed by three amendments: 802.16a, 802.16b uses its private key to recover the AK, which
and 802.16c. In 2004 the 802.16-2004 standard can now be utilized as an authentication token
(IEEE-SA, 2006) was released and the earlier in further communication.
802.16 documents including the a/b/c amendments • Key exchange: The SS and the BS can agree
were withdrawn. An amendment to the standard on a transport encryption key (TEK), which
802.16e (IEEE-SA, 2006) addressing mobility will be utilized for data encryption (see Figure
was introduced in 2005. The main additions of 3).
the 802.16e were low density parity check (LDPC) TEK is randomly generated by the BS. The
codes at the physical layer, enhanced MIMO setup AK established during authentication is used
functions, new states for MS operation, param- to derive two additional keys:
eter-definedpowersavingclassesofmobiles, ° andMessage authentication key (HMAC
enhanced FFT sizes for scalable OFDMA. key), which is utilized to provide mes-
WiMax aims at providing high data rate triple- sage integrity and AK confirmation
play wireless services to fixed users, to nomadic during the key exchange process.
users, and to users of mobile devices. It is based on ° Key encryption key (KEK), which is
a low latency qualityofserviceQoS) ( architectureutilized for encrypting the TEK before
in order to provide real-time multimedia services. It sending it back to the SS. The modes
operates on the 2-6 GHz (IEEE802.16e) and 10-66 for encrypting TEK are:
GHz (IEEE802.16-2004) frequency bands and it a. 3DES with a 112 bit KEK
uses the OFDMA technology for modulation and b. AES with a 128 bit KEK
medium access. c. RSA using SS’s public key
• Data encryption and integrity: The modes
security Architecture for implementing data privacy are:
° Data encryption standard (DES) with
WiMax has been designed with security in mind, a 56 bit key and cipher block chaining
especially after the serious vulnerabilities dis- (CBC), which utilizes the Initializa-
covered in the original Wi-Fi security protocol. tion Vectors obtained during Key Ex-
TheIEEEspecifications
6 1 2. 0 8 includeasecurity change,
sublayer within the MAC layer. The IEEE 802.16 ° AES with a 128 bit key and counter
security architecture is based on the following mode with cipher block chaining mes-
issues: sage authentication code protocol, which
Evaluation of Security Architectures for Mobile Broadband Access
provides message integrity and replay in WiMax. The attacker must transmit at the same
protection. time as the legitimate BS using a much higher
power level in order to “hide” the legitimate signal.
Security Vulnerabilities Furthermore, WiMax supports mutual authentica-
tion at user network level based on the generic
WiMax supports unilateral device level authentica- extensible authentication protocol (EAP) (Aboba,
tion (Barbeau, 2005), which can be implemented Blunk, Vollbrecht, Carlson, & Levkowetz, 2004).
inasimilarwayasWi-FiMACfilteringbased EAP onvariants, EAP- transport layer security (TLS)
the hardware device address. Therefore, address ( X.
certificate
0 9 5 based)Aboba
( Simon,
& )91
sniffing and spoofing make a MS masquerade and EAP-subscriber identity module (SIM) (Ha-
attack possible. In addition, the lack of mutual verinen & Salowey, 2004), are supported.
authentication makes a man-in-the-middle attack In the data privacy domain, the main security
from a rogue BS possible. However, a successful threat is the transmission of unencrypted manage-
man-in-the-middle attack is difficult ment because messages of over the wireless link. Eavesdrop-
the time division multiple access (TDMA) model ping of management messages is a critical threat for
Evaluation of Security Architectures for Mobile Broadband Access
users and a major threat to a system. For example, efficient packet switching over the air interfac
an attacker could use this vulnerability to verify Given segments can be dedicated for use with
the presence of a victim at its location before predefinedfunctionality.Thusthereisnoneedto
perpetrating a crime. Additionally, it might be send overheads, such as message headers. There-
used by a competitor to map the network. Another fore, networklayertrafficexperiencessmalldelays
major vulnerability is the encryption mode based andnosignificantdelayjitter.
on DES. The 56 bit DES key is easily broken by
brute force with modern computers. Furthermore, security Architecture
the DES encryption mode includes no message
integrity or replay protection functionality and is The security relies on “defence in depth,” that is,
thus vulnerable to active or replay attacks. The virtual private network (VPN) tunnelling and end-
secure AES encryption mode should be preferred to-endencryptionareused.Securityspecifications
over DES. forash-
fl OFDMhavenotbeenpresentedinpublic
Finally, there is a potential for DoS attacks (Lehtonen, Ahonen, Savola, Uusitalo, Karjalainen,
because authentication operations trigger the ex- Kuusela et al., 2006).
ecution of long procedures. For example, a DoS
attack could ood fl a MS with a high number of
Security Analysis
messages to authenticate. Due to low computational
resources, the MS will not be able to handle a large A security analysis of the mobile broadband tech-
amount of invalid messages, rendering the DoS nologies Wi-Fi, UMTS, and WiMax is presented.
attack successful. Inclusionofash- fl OFDMinthiscomparisonisnot
possible because of the unavailability of public
securityspecifications.Threatsareanalyzedwit
flAsH-ofdM respect to the likelihood of occurrence, the impact
on the network operation, and the global risk they
Fast low-latency access with seamless handoff represent. In the following paragraphs, we first
orthogonalfrequencydivisionmultiplexing describe ash-
fl ( in detail the evaluation and comparison
OFDM) is an OFDM-based proprietary system methodology, and then a group of tables is presented
whichspecifiesthephysicallayer,aswell inas
which higher the security threats of the investigated
protocol stack layers. It is an all IP technology technologies are evaluated. Security threats are
and it aims to compete with GSM/3G networks. classified based on four main axes: -authentica
Already implemented ash- fl OFDM technology
tion, confidentiality, integrity, and physical laye
operating in the 450 MHz frequency band can resilience. Finally, the security evaluations of the
offer a maximum download speed of 5.3 Mbps studied technologies are compared and presented
and an upload speed of 1.8 Mbps. in a concise overview table.
Design objectives have included design of a
high capacity physical layer, a packet-switched Methodology
air interface, a contention-free and QoS-aware
MAClayer,andefficientoperationsusing existing
The evaluation and comparison methodology was
Internet protocols. The air interface is designed based on the method described by Barbeau, (2005)
and optimized across all protocol stack layers. and ETSI.) 302 (More specifically, three main
Fast hopping across all tones in a pseudorandom criteria are considered: likelihood, impact, and
predetermined pattern is employed. Channel risk. “Likelihood” refers to the probability that
coding and modulation are carried out on a per- anattackassociatedwithaspecific - threatiss
segment basis and can be individually optimized cessfully launched. In this context, two variables
for each channel. The ability to send segments of are considered:
arbitrary size enables the MAC layer to perform
Evaluation of Security Architectures for Mobile Broadband Access
a. The technical difficulties of mounting the criteria, that is, likelihood, impact,
the evaluation
attack in terms of the required software, and risk. The comparison axes are authentica-
hardware, and estimated time duration. tion, confidentiality, integrity, and physical laye
b. The attacker’s motivation in terms of the level resilience.
of network access or the severity of the system
malfunction that the attack achieves. objective-based comparison
Three levels of likelihood are available as This section applies the aforementioned methodol-
described in Table 1. “Impact” refers to the conse- ogy on four main objectives of wireless security
quences of an attack in terms of user and network architectures:authentication,confidentialit -
security. The two variables of impact are: rity, and physical layer resilience. For each objec-
tive, a thorough discussion describes the rationale
a. User impact in terms of the severity of network behind the ranking of the security threats.
access degradation.
b. System impact in terms of the severity of
network degradation or outage. Authentication Evaluation
Three levels of impact are available as described Wi-Fi includes four security threats which are all
in Table 1. According to the level of likelihood ranked to have a high impact on the system, since
and impact, numerical values from a predefined the attacker can exploit them to override the authen-
range are assigned to each criterion (see Table 1). tication checks or launch a combination of attacks
Foraspecificthreat,the“risk”refersto anwill
which overall
grant him full network access. However,
threat level which is determined by the product of the likelihood ranking greatly varies. Closed system
the likelihood value and impact value. authenticationandMACfilteringareverylikelyt
Security threats which result in a high evalu- beattackedbysniffingsoftwarewhichisreadily
ated risk value are critical and additional measures available on the Internet. WEP attacks are more
should be taken to protect the network perimeter, complicated, because a combination of software
whereas threats which have a low risk can be toler- isrequiredtoinduceandcapturenetworktraf
ated without employing countermeasures. and then exploit the weak IVs in order to crack the
In this point, it is worth noting that this quantita- key.WPA-PSKisevenmoredifficulttobreaksince
tive ranking is subjective. However, this is a useful it requires a brute force attack. The resilience of
evaluation and comparison methodology which WPA-PSK is greatly dependent on the length and
can stimulate a structured discussion based on the complexity of the preshared key.
UMTS is far more resilient to authentication
attacks, since most of the security gaps have
Table 1. Evaluation and comparison methodology been identified during the deployment of GSM
Variables andtackledinthespecificationdesignofUMTS.
Criteria Cases Difficulty Motivation Rank However, UMTS includes two main authentication
Unlikely Strong Low 1
Likelihood Possible Solvable Reasonable 2 vulnerabilities which can be exploited to launch a
Likely None High 3 man-in-the-middle attack (high impact). The IMSI
User System
Low Annoyance
Very limited
1
hijack threat refers to the deployment of a rogue BS
outages
Loss of Limited in order to initiate an authentication procedure and
Impact Medium 2
service outages steal the IMSI of a mobile user. The motivation for
Long time Long time
High 3
loss of service outages this attack is high, but the equipment is expensive
Risk = Likelihood x Impact
andcomplicatedtoconfigure.AUTNcaptureisthe
Minor No need for countermeasures 1-3 second step of the attack and it refers to capturing
Risk Major Threat need to be handled 3-6
Critical High priority 6-9
an authentication token by masquerading a MS.
Evaluation of Security Architectures for Mobile Broadband Access
It assumes that the IMSI Hijack attack has been can be easily established, but it cannot greatly affect
already successfully launched. However, this attack the system if robust authentication and integrity
does not require the deployment of a rogue BS and mechanisms have been deployed.
therefore it is more possible to happen.
In the WiMax architecture, the main security Integrity Evaluation
threat is the device-level authentication mode.
When this mode is utilized without Wi-Fi certificate
supports null mode which leaves the mes-
support,itisasvulnerableasMACfiltering and
sagestotally unprotectedagainstmodification
it can be exploited to launch MS or BS masquer- replay attacks. WEP CRC-32 integrity mechanism
ading attacks. A less critical vulnerability is the provides a moderate level of protection, but there
DoS attack which can be launched by ooding fl is no replay protection and the integrity protection
authentication requests. This attack mostly affects can be overridden by an experienced attacker.
the MS due to its limited processing resources, The UMTS architecture includes a major short-
but it is not a major threat since it has a medium coming, namely the inadequate replay protection
impact and a low motivation. of authentication tokens. This vulnerability can
have a high impact since it allows the reuse of the
Confidentiality Evaluation token retrieved by an AUTH capture attack and the
completion of the UMTS man-in-the-middle attack.
Wi-Fi includes some major vulnerabilities. It sup- However, it requires a prior successful launch of
portsanullmodeencryptionwhichisconfigured IMSI hijack and AUTN capture. Therefore it results
as default in the majority of the commercial access inahightechnicaldifficulty.
points. WEP encryption can provide an elementary WiMax supports two modes that can greatly
level of protection, but it is still too weak to keep compromiseinformationintegrity.Thefirstisthe
the intruders out. WPA-PSK offers a satisfactory DES mode which does not support integrity and
levelofconfidentiality,iflongandcomplex replaykeys
protection of data frames. The second is the
are utilized. The ranking of the Wi-Fi - confiden
null MAC mode for management frames, which can
tiality vulnerabilities is similar to authentication allowtheintrudertoinjectmodifiedmanagemen
ranking, since both objectives are based on the frames and affect the network operation.
same mechanisms.
UMTS incorporates strong encryption algo- Physical Layer Resilience Evaluation
rithms which have eliminated the deficiencies of
its predecessor GSM. Nevertheless, the backwards The resilience of the physical layer of each tech-
compatibility with GSM can be exploited to com- nology is evaluated with respect to jamming and
promise dual-band mobile devices by launching a scrambling. Jamming is achieved by introducing
man-in-the-middle attack. In this attack, the rogue a source of noise strong enough to significantly
BS can mandate the MS to use null mode encryp- reduce the capacity of the channel. Scrambling
tion or one of the GSM encryption modes which is similar to jamming, but it takes place for short
can be easily broken (Biham & Dunkelman, 2000; intervalsoftimeanditistargetedtospecificfra
Biryukov, Shamir, & Wagner, 2000). However, this or parts of frames.
is an unlikely attack since it requires the deploy- Wi-Ficomprisesofthethreedifferent - specifi
ment of a BS and a prior successful launch of the cations IEEE 802.11a/b/g which all utilize random
IMSI hijack and AUTN capture attacks. medium access techniques but operate on differ-
WiMax security architecture includes two main ent physical channels. IEEE 802.11a/g operate on
shortcomings. First of all, the DES encryption a 5 MHz OFDM channel, whereas IEEE 802.11b
modeprovidesaninadequatelevel - ofconfidential
operates on a 5 MHz DSSS channel. The DSSS
ity, since it can be easily broken. In addition, the is more resilient to narrowband jamming than
eavesdropping of unencrypted management frames OFDM and therefore jamming has a higher impact
0
Evaluation of Security Architectures for Mobile Broadband Access
on IEEE802.11a/g. However, if the attacker wants are much more secure, but the poor usability and
to jam all the channels, the attacker has to jam a the limited security awareness have constrained
bandwidth of 40 MHz, which is quite difficult. their wide deployment. UMTS proved to be quite
Scrambling is easier to launch because of the robust by eliminating the security inefficiencie
random medium access layer. of its predecessor GSM. However, an attacker can
UMTS operates on two 5 MHz DSSS chan- still exploit some backward-compatibility issues
nels, one for the uplink and one for the downlink. to launch a man-in-the-middle attack. WiMax’s
It is resilient to narrowband jamming because of performance was not satisfactory enough mainly
the DSSS modulation, but it is still vulnerable to due to the provision of weak security modes.
scrambling because of the random access. Nevertheless, the practical performance is greatly
WiMax operates on a 1.25-20 MHz OFDM dependent on the actual security decisions of the
channel and it employs TDMA techniques. Thus, network operators. These decisions vary according
it can be vulnerable to jamming especially if it to the provided service requirements.
operates on a narrow channel, but it is resilient to
scrambling due to the TDMA.
Evaluation of Security Architectures for Mobile Broadband Access
The IEEE 802.20 (or MBWA) Working Group was Seamless convergence of heterogeneous wireless
established in December 11, 2002, with the aim to networks provides new security challenges for
developaspecificationforanefficientpacket- based
the research community. Global authentication
air interface that is optimized for the transport of architectures are needed which can operate in-
IP based services. The goal is to enable worldwide dependently of the wireless physical protocol. In
deployment of affordable, always-on, and interop- addition,specificationsareneededformaintaini
erable BWA networks. The group will specify the confidentiality and the integrity - of the com
the lower layers of the air interface, operating in munication data while the user terminal is in a
licensed bands below 3.5 GHz and enabling peak hand-off state. In this direction, a forum of mobile
Evaluation of Security Architectures for Mobile Broadband Access
operatorscalledfixedmobileconvergence alliance
likelihood, impact, and risk. The methodology
(FMCA)isworkingondefiningspecifications forapplied on four evaluation axes: authentica-
was
the convergence of heterogeneous networks in the tion, confidentiality, integrity, and physical laye
context of all IP 4G wireless systems. resilience. According to the comparison results,
Security policy issues are: Wi-Fi is more liable to security attacks, followed
by WiMax and UMTS. However, WiMax has not
• The use of lightweight and exible fl - authen
been widely tested under real-world systems due
tication, authorization, account, and audit to its recent release. More security vulnerabilities
(AAAA) schemes, may therefore be discovered in the future. Finally,
• The use of Trusted Computing (Reid, Nieto, the security architecture of UMTS is quite robust
& Dawson, 2003), and because of the lessons learned from GSM, but it is
• Different security polices for different still not invincible against an experienced attacker
services are recommended for 4G systems with the right equipment.
(Zheng, He, Xu, & Tang, 2005a).
Evaluation of Security Architectures for Mobile Broadband Access
Borisov, N., Goldberg, I., & Wagner, D. (2001). on the security of interoperating GSM/UMTS
Intercepting mobile communications: The inse- networks. In Proceedings of IEEE International
curity of 802.11. In Proceedings of the 7th Annual Symposium on Personal, Indoor and Mobile Radio
International Conference on Mobile Computing Communications (PIMRC2004).
and Networking, Rome, (pp. 180-189).
Meyer, U., & Wetzel, S. (2004b). A man-in-the-
Edney, J., & Arbaugh, W. A. (2003). Real 802.11 middle attack on UMTS. In Proceedings of ACM
security: Wi-Fi protected access and 802.11i (1st Workshop on Wireless Security (WiSe 2004).
ed.). Addison-Wesley Professional.
Ohrtman, F. (2005). WiMax handbook. Building
ETSI. (2003). TechnicalspecificationETSITS6 1 2.80 wireless
1 networks.McGraw-Hill Com-
V41 5- 6 .1 . 1 . munications.
Haverinen, H., & Salowey, J. (2004). Extensible Reid, J., Nieto, J., & Dawson, E. (2003). Privacy
authentication protocol method for GSM subscriber and trusted computing. In Proceedings of the 14th
identity modules (EAP-SIM) (Internet draft [work International Workshop on Database and Expert
in progress]). Internet Engineering Task Force. Systems Applications (pp. 383-388).
IEEE. (2001). IEEE standards for local and met- Stanley, D., Walker, J., & Aboba, B. (2005). Ex-
ropolitan area networks: Standard for port based tensible authentication protocol (EAP) method re-
network access control. IEEE Std 802.1x-2001. quirements for wireless LANs (IETF RFC 4017).
Retrieved April 24, 2007, from http://standards.ieee.
Stubblefield,A.Ioannidis,
, J.Rubin,
&, A..) 02 (
org/getieee802/download/802.1X-2001.pdf
Using the Fluhrer, Mantin, and Shamir attack to
IEEE-SA. (2006). IEEE 802.16 LAN/MAN broad- break WEP. Paper presented at the NDSS.
band wireless LANS. IEEEstandards.
6 1 .2 08 Re-
Van de Wiele, T. (2005). Wireless security: Risks
trieved April 24, 2007, from http://standards.ieee.
and countermeasures (UNISKILL Whitepaper).
org/getieee802/802.16.html
Welch, D. J., & Lathrop, S. D. (2003). A survey
Kambourakis, G., Rouskas, A., & Gritzalis, S.
of 802.11a wireless security threats and security
(2004). Performance evaluation of public key-based
mechanisms (Tech. Rep. ITOC-TR-2003-101).
authentication in future mobile communication
United States Military Academy.
systems. EURASIP Journal on Wireless Commu-
nications and Networking, 1, 184-197 WiMax Forum. (2006). Mobile WiMax—Part I:
A technical overview and performance evala-
Lehtonen, S., Ahonen, P., Savola, R., Uusitalo, I.,
tion. Retrieved April 24, 2007, from http://www.
Karjalainen, K., Kuusela, E., et al. (2006, Septem-
wimaxforum.org/home/
ber). Information security in wireless networks.
Ministry of Transport and Communication. Finland: Zheng, Y., He, D., Xu, L., & Tang, X. (2005a). Se-
LUOTI Publications. ISBN 952-201-783-3. Retrieved curity scheme for 4G wireless systems. In Pro-
April, from
4 7 20 http:www.
/ luoti.fi/material/ ceedings of 502 International Conference on
InfoSec_in_WNetworks_final.pdf Communications, Circuits and Systems (Vol.
1, pp. 397-401).
Lynn, M., & Baird, R. (2002). Advanced 802.11
attack. Paper presented at the Black Hat 2002 Con- Zheng, Y., He, D., Yu, W., & Tang, X. (2005b). Trust-
ference, Las Vegas. Retrieved April 24, 2007, from ed computing-based security architecture for 4G
http://www.blackhat.com/presentations/bh-usa-02/ mobile networks. Paper presented at the Sixth
baird-lynn/bh-us-02-lynn-802.11attack.ppt International Conference on Parallel and Distrib-
uted Computing, Applications and Technologies
Meyer, U., & Wetzel, S. (2004a). On the impact of
PDCAT 2005 (pp. 251-255).
GSM encryption and man-in-the-middle attacks
Evaluation of Security Architectures for Mobile Broadband Access
Chapter XLIX
Extensible Authentication (EAP)
Protocol Integrations in the
Next Generation
Cellular Networks
Sasan Adibi
University of Waterloo, Canada
Gordon B. Agnew
University of Waterloo, Canada
AbstrAct
Authentication is an important part of the authentication authorization and accounting (AAA) schemes
and the extensible authentication protocol (EAP) is a universally accepted framework for authentication
commonly used in wireless networks and point-to-point protocol (PPP) connections. The main focus of
this chapter is the technical details to examine how EAP is integrated into the architecture of next gen-
eration networks (NGN), such as in worldwide interoperability for microwave access (WiMAX), which
isdefinedintheIEEE802.16dandIEEE802.16estandardsandincurrentwirelessprotocols,suchas
IEEE 802.11i. This focus includes an overview of the integration of EAP with IEEE 802.1x, remote au-
thentication dial in user service (RADIUS), DIAMETER, and pair-wise master key version (2PKv2).
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
These integrations are often established with controlling user traffic for protecting network
other security protocols and mechanisms, such IEEE 802.1x also offers dynamically varying
as transport layer security (EAP-TLS), message encryption keys. IEEE 802.1x uses EAP in both
digest 5 (EAP-MD5), privacy key management wired and wireless LANs and supports multiple
(PKM-EAP), and so forth. authentication methods, such as Kerberos, one-time
The organization of the sections of this chap- passwords,andpublickeycertificates.Ourmain
ter is as follows: Section II will discuss details focus is on wireless technologies.
about the EAP-IEEE 802.1x interactions. Section IEEE 802.1x initially starts the communications
III is dedicated to remote authentication dial in by an attempt to connect with an authenticator
user service (RADIUS) and DIAMETER in the (i.e., an 802.16 or 802.11 access point [AP]) to
authentication/authorization schemes. Section IV authenticate an unauthenticated supplicant. The
talks about the IEEE 802.1x-EAP functions imple- AP responds back by enabling a port for pass-
mented in Wi-Fi (IEEE 802.11i) and introductions ing only EAP packets between the clients to the
to EAP-MD5, lightweight extensible authentication authentication server, which is usually located on
protocol (LEAP), EAP-TLS (TTLS) and protected the wired side of the AP. The AP blocks all other
extensible authentication protocol (PEAP). Section traffici. ( e.HTTP
, anddynamichostconfiguration
V presents the PKMv2-EAP scheme in worldwide protocol [DHCP] packets), until the AP (authen-
interoperability for microwave access (WiMAX) ticator) is able to verify the client’s identity using
(IEEE 802.16) followed by section VI, which is a an authentication server (e.g., DIAMETER or
configuredtestbedforaWiMAXsystem.Sections RADIUS). Once authenticated, the AP opens the
VII and VIII contains conclusions and references client’sportfortherestoftraffictypes.
respectively. To better understand how 802.1x operates, the
interactions mentioned in Table 1a usually happen
between various 802.1x elements.
EAP And IEEE 802.1x As showed in Figure 1, EAP is an important
component of an 802.1x-based infrastructure. EAP
Based on RFC 3748 (Aboba, Blunk, Vollbrecht, improves the authentication scheme provided by
Carlson, & Levkowetz, 2004), EAP runs on top the point-to-point protocol (PPP) (RFC 1661). EAP
of IEEE 802.1x (Figure 1), therefore 802.1x is the provides PPP with a generalized framework for
key issue to understanding the EAP. IEEE 802.1x
offers a strong framework for authenticating and
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
various types of authentication schemes (Chen & operates in the following fashion (Piscitello, 2005)
Wang,The
. )05 2 x1 2.08 standardincludesadefi - (see Box 1).
nition of EAP encapsulation for Ethernet packages In a true end-to-end secure wireless network,
used over LANs, which is called EAP over LAN it is not only crucial that the authenticator and
(EAPOL). Figure 2 (Leira, 2005) shows various authentication server ensure user's legitimacy,
layers of selective authentication and network but also the supplicant has to be confident tha
type 802.1x. the authentication server and the authenticator
There are three main components found in arelegitimateandnotspoofingdeviceswhotryto
802.1 X-based systems:
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Box 1.
# Process Taking Place Message Transmitted/State
1. Supplicant tries to connect to the authenticator (AP) 8 0 2.1 x A s s o c i a t e
Request
2. Authenticator detects supplicant and enables client’s port Por t s et t o
Unauthorized
3. Authenticator returns a response to supplicant and waits 8 0 2.1 x A s s o c i a t e
Response
4. Supplicant transmits a message to authenticator EAP-START
5. Authenticator replies a message to supplicant, asks for identity EAP-REQUEST IDENTITY
6. Supplicant provides its identity to authenticator EAP-RESPONSE
7. Authenticator forwards EAP-RESPONSE to authentication server FORWARD EAP-RESPONSE
8. Authentication server authenticate clients Authenticates
via EAP-TLS, LEAP
9. If accepted by authentication server, signals to authenticator ACCEPT
10. If rejected by authentication server, signals to authenticator REJECT
11. If authenticator receives acceptation, responds to supplicant Supplicant can use the wireless EAP SUCCESS
LAN Port set to AUTHORIZED
12. If authenticator receives rejection, responds to supplicant EAP FAILURE
Supplicant remain blocked from the wireless LAN Port state no change
13. If client succeeded, authenticator passes global key to client Global Key Passed
14. When client terminates session, it logs off EAP LOGOFF
obtain the user name and password from the user. are authentication, authorization, and accounting
This scenario can be prevented by using a mutual (AAA) protocols for applications and mechanisms
authentication scheme where the authentication used in network access or Internet protocol (IP)
server and the authenticators also have to be au- mobility. They are intended to work in both local
thenticated by the supplicant. Examples of such and roaming situations.
mutual authentication schemes are used in TLS, Many applications running through ISPs using
tunneled TTLS (TTLS), LEAP, and PEAP. modems, DSL, cable, or wireless connections re-
IEEE 802.1x also provides a framework to re- quire some sort of user name/password for access
duce or eliminate the danger of session hijacking permission. This information is usually transmitted
and man-in-the-middle (MITM) attacks, however to a RADIUS server, over a network access server
it requires that the right type of authentication (NAS) device using the point-to-point protocol
(mutual authentication) be used. Secure authenti- (PPP) and the RADIUS protocol. The RADIUS
cation does not yet imply secure communication. server verifies that the information is corre
A strong encryption method is required to ensure This is done using authentication schemes, such
data confidentiality. EAP enables the as,usage
passwordofauthentication protocol (PAP), chal-
different types of encryption with dynamic key lenge handshake authentication protocol (CHAP),
distribution techniques. or EAP. If authentication and authorization are
accepted, then the server will authorize access to
the ISP network and select an IP address and other
rAdIus And dIAMEtEr access control parameters (L2TP parameters).
TheRADIUSserverisalsonotifiedof- anyses
Both RADIUS (Hill, 2001) and DIAMETER (Cal- sion start-stop for related accounting, billing, and
houn, Loughney, Guttman, Zorn, & Arkko, 2003) other statistical issues. RADIUS is an extensible
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
protocol in which most RADIUS vendors have their a request to the wireless station, asking for its
own hardware and software implements. identity and relays the message to an AAA server
The DIAMETER protocol is proposed to re- using a RADIUS-based access-request user name
place RADIUS and it is designed to be backward message.
compatible in most cases. The main differences As expected, through the AP, the wireless sta-
between DIAMETER and RADIUS protocols tion and the AAA server establish the authentication
are, (see Box 2). process by exchanging RADIUS access-chal-
The message format and the authentication lenge and access-request messages. According to
ows
fl inDIAMETEREAPapplicationsaregiven the specific EAP type, an encrypted TLS tunnel
in Figures 4 and 5. could be used to convey the messages inside of
the tunnel.
Applying rAdIus to wireless lAns If an access-accept message is sent by the AAA
server, the wireless station and the AP establish
In wireless-based networks that use 802.1x port a handshake. This generates session keys that are
access control, the wireless station is a remote user used by either temporal key integrity protocol
and the wireless AP behaves as the network access (TKIP) or wired equivalence privacy (WEP) to
server (NAS) (Phifer, L 2., 2003). The IEEE 802.11- encrypt data. At this point, the port is unblocked
based protocols (a, b, or g) are used to associate by the AP and the wireless station is able to send
the wireless stations to the wireless APs. and receive data to and from the attached LAN.
Once the client is associated, it transmits an If an access-reject message is sent by the AAA
EAP-Start message to the AP. The AP sends server, the client will be disassociated by the AP.
Box 2.
# DIAMETER uses: RADIUS uses:
1. Reliable transport protocol (TCP or Uses an unreliable transport protocol (UDP)
stream control transmission protocol [SCTP])
2. End-to-end transport level security protocols End-users, such as, CHAP and PAP
(IPSec or TLS)
3. Transition support for RADIUS No direct compatibility with DIAMETER
4. Large address space for AVPs (attribute value Smaller address space – 8 bits
pairs) – 32 bits
5. A peer-to-peer protocol scheme Client-server protocol scheme
Server-initiated messages support Request/response scheme only
6. Both stateful and stateless models Only a stateless model
7. DNS (dynamic name system), SRV (generalized Static Discovery agents
service location), and NAPTR (naming authority
pointer), for dynamic discovery of peers
8. Capability Negotiation (version, applications, etc) No such built-in capability
9. Application layer acknowledgements and built-in No such failover mechanism
Failover (device-watchdog request/
device-watchdog answer [DWR/DWA])
10. Errornotification Nosuchnotification
11. Better roaming support Averagesupportforfixedandroamingusers
12. Better extended command and attributes Average command and attributes
13. Better Mobile-IP supports and stronger security Average security options
0
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Figure 4. DIAMETER message format (Adapted Figure 5. Authentication flows in diameter EAP
fromWu,Chen,Chen,&Fan,205) applications (Adapted from Wu, Chen, Chen, &
Fan,205)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
ping are relatively very low. Therefore for wire- the client to be authenticated by the authentication
less 802.1x authentication schemes, stronger and server through a user name/password process and
more robust EAP authentication protocols should onlyrequiresacertificateusedbytheauthenti
be deployed. tionserver.EAP-TTLSsimplifiestherolloutand
maintenance procedures while retaining strong se-
EAP with transport layer security (EAP-TLS): curity and relatively strong authentication scheme.
EAP-TLS is discussed in RFC 2716, which is the A TLS tunnel is used for protecting EAP messages
only secured standard option (along with EAP- and for reusing existing user credential services
TTLS) designed for wireless LANs. EAP-TLS for 802.1x authentication, such as RADIUS, ac-
mandates a procedure in which the station and the tive directory, and LDAP. AP-TTLS also provides
RADIUS server are both required to prove their backward compatibility for other authentication
identities using public key cryptography (i.e., se- protocols, such as, PAP, CHAP, MS-CHAP, and
curitytokens,smart-cards,ordigitalMS-CHAP-V2. certificates) . tunnels are not used, EAP-
If TLS
This procedure is secured by an encrypted TLS TTLS is not considered secure and can be fooled
tunnel, which makes EAP-TLS very resilient to into revealing identity credentials. EAP-TTLS
against dictionary, man-in-the-middle, and other is most suitable for infrastructures that require
types of attacks. However, the station’s identity, strong authentication without mandating the use of
whichisthenameattachedtothecertificate, can
mutualcertificates. Wirelessx1 .208 authentication
still be sniffed through eavesdropping. EAP-TLS schemes usually support EAP-TTLS.
is a very attractive candidate for large enterprises,
which only use Windows (2000/2003/XP)-based Protected EAP (PEAP): PEAP is an Internet-draft
applicationswithdeployedcertificates. EAP-an
(still not TLSRFC), which is similar to EAP-TTLS in
provides strong security schemes by requiring terms of supporting mutual authentication. PEAP
both client and authentication server (mutual au- is currently being supported by Cisco Systems,
thentication) to be authenticated and authorized RSA Data Security Inc., and Microsoft. PEAP is an
byusingPKIcertificates.Thisworkswellauthentication within protocol alternative to EAP-TTLS,
802.1x authentication schemes as the TLS tunnel which overcomes EAP weaknesses through:
between the client and the authentication server
protects the EAP messages from sniffing a. and Protecting user credentials
eavesdropping. The only notable drawback of b. SecuringEAPnegotiationows fl
EAP-TLS is the requirement of PKI certificates c. Standardizingkeyexchangeows fl
on both sides (clients and authentication servers). d. Supporting fragmentation and reassembly
This causes complications in roll-out and main- procedures
tenance procedures and increases the amount of e. Supporting fast reconnects
overheadtoestablishasecurelinkascertificates
can be quite large. Figure 6 shows the EAP-TLS PEAP allows the utilization of other EAP-based
messageow. fl authentication protocols and securing the transmis-
sion through utilizing a TLS encrypted tunnel.
EAP with tunnelled TLS (EAP-TTLS): EAP- PEAP relies on the TLS keying method for the key
TTLS is an extension of EAP-TLS, which provides creation and exchange mechanisms. The PEAP
thebenefitsofastrongencryptionscheme clientwithout
is authenticated directly with the back-end
thecomplexityofmutualcertificateson bothsides
authentication server. The authenticator acts as a
(client and authentication server). Similar to the pass-through device, which does not require much
EAP-TLS scheme, EAP-TTLS scheme supports processing power or manipulation and needs little
mutual authentication, however it only requires the understanding of the EAP authentication protocol
authentication server to be validated to the client mechanism. Unlike EAP-TTLS, PEAP does not
using a certificate exchange. EAP-TTLS allows support inherent username and password authen-
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
tication against an existing user (unlike LDPA). module (SIM), or EAP-SIM, is an EAP-based
To support this, every specific vendor has its
mechanism used for authentication and session
own feature built on top of the protocol. PEAP is key distribution, which is used in the GSM-SIM.
most suitable for infrastructures, which require EAP-SIM is described in RFC 4186.
strong authentication without the use of mutual Tables 1b and 2 show summaries and com-
certificates,similartoEAP-TTLS.Wirelessparisons x1 .208 between all mentioned EAP-based
authentication schemes usually support PEAP. protocols.
Dependingonthespecific EAP authentication
Cisco’s lightweight EAP (LEAP): LEAP goes protocol used, IEEE 802.1x authentication proto-
beyond EAP-MD5 in addressing the security is- col can help to solve the following security issues
sues of wireless networks by delivering the keys (Kwan, 2003):
used for WLAN encryption and requiring mutual
authentication. Mutual authentication reduces the • Dictionary attack: In this type of attack, the
risk of an attacker posing as an AP (MITM at- attacker obtains the challenge/response mes-
tack). However, station identities and passwords sage exchange from a password authentication
remain vulnerable to dictionary sniffingsession attacks.and uses a brute force mechanism to
LEAP is mostly used when Cisco-based APs find the password. IEEEx1 2.08 solves this
and cards are involved. LEAP mandates mutual type of attack by using TLS-based tunnels
authentication between the client and the authen- for protecting credential exchanges among
ticator. The client first has to authenticate itself
authenticator and supplicant.
to the authenticator and then the authenticator • Session hijack: In this attack, the attacker is
should authenticate itself to the client. If the two able to sniff the packets passed between the
authentication procedures are done successfully, a client and the authenticator and to recover the
network connection is granted. Unlike EAP-TLS, client’s identity information. This pushes the
LEAP is username/password-based and is not based “legitimate” client out of the scope through
on PKI certificates. This simplifies roll-out a and
form of denial-of-service (DoS) attack
maintenance procedures. Being the proprietary and impersonates the client to continue the
to Cisco is one of the drawbacks of LEAP, which conversation with the authenticator (DoS and
is the reason it has not been widely adopted by session hijacking). IEEE 802.1x can thwart
other networking vendors. LEAP is most suitable the session hijacking through its ability to
for wireless scenarios that support Cisco AP’s and securely authenticate with dynamic session-
LEAP compliant wireless NIC cards. based keys.
• Man-in-the-middle: The MITM attack
EAP-SIM: The EAP method for global system for happens in one-way authentication or unbal-
mobile communications (GSM) subscriber identity anced schemes, where the attacker obtains the
necessary information from the client and/or
Table 1b. Comparison between different EAP methods in terms of client/server strength (Adapted from
Phifer, 2003)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Table 2. Comparison among various EAP methods in terms of wireless security strength (Adapted from
“WhatareYourEAPAuthenticationOptions?,”205)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
ance. WPA2 is a requirement for Wi-Fi compliance ter with cipher block chaining message
from 2006. authentication code (CCMP). CCMP
uses the AES encryption scheme.
EAP Method requirements for TKIP offers three advantages over
wireless lAns WEP:
Longer initialization vector (IV),
RFC 4017 (Stanley, Walker, & Aboba, 2005) which minimizes the chance ses-
specifiestherequirementsforEAPmethodsused sion key reuse
in IEEE 802.11-based systems, which uses IEEE Key hashing, which results in a
802.11i for authentication and authorization. This different key used for each data
in turn could be applied to IEEE 802.16 as well. packet
802.11i MAC security enhancements makes use of MIC, which ensures that the mes-
both IEEE 802.1x and EAP. Today’s deployments sage is not altered during the com-
of IEEE 802.11 wireless LANs are based on EAP, munication between sender and
integrated with several EAP methods, namely: receiver
EAP-TLS, EAP-TTLS, PEAP, and EAP-SIM, • Counter-mode/CBC-M AC protocol
which were discussed before. These methods sup- (CCMP): CCMP is similar to TKIP, in which
port authentication credentials, including digital it deals with the confidentiality of data, as
certificates , secure tokens, usernames/passwords, well as authentication and encryption. One
and SIM secrets. of the differences between CCMP and TKIP
IEEEi
1 .208 specifiestheusageofEAPforboth is the fact that CCMP uses AES in counter
authentication and key exchange among the EAP modefordataconfidentiality.The - otherdif
peers and servers. RFC 3748 (RFC 3748 - EAP) ference is the usage of cipher block chaining
outlines the EAP usage within IEEE 802.11i, which message authentication code (CBC-MAC)
is subject to threats, given that WLAN provides for authentication and integrity. In the ar-
ready access to any attacker within range. chitecture of 802.11i, CCMP uses a 128-bit
The following four components are integral key scheme. CCMP provides protections for
partsofIEEEi 1 2.08 specifications(IEEEi:
1 2.08 somefields,whicharenotencryptedthrough
WLAN Security Standards,” 2006): a mechanism, which is so-called additional
authentication data (AAD). AAD protection
• Temporal key integrity protocol (TKIP): includes a scheme which prevents attackers
TKIP is a protocol which uses an RC4 ci- from replaying packets to various destina-
pher for encryption of data and deals with tions.
confidentiality of data. TKIP improves the • IEEE 802.1x: IEEE 802.11i is a wireless
security weaknesses of WEP. It uses a mes- implementation of 802.1x, which offers an
sage integrity code, called “TKIP-Michael effective framework to authenticate and
algorithm,” which authenticates end devices control user traffic and also offers - dynami
for legitimacy. TKIP utilizes a mixing func- cally varying encryption keys. Through this
tion to overcome weak-key and brute-force component (802.1x), 802.11i is able to get tied
attacks. TKIP is used in 802.11i during two to EAP.
phases: • EAP encapsulation over LANs (EAPOL):
° First phase: Inthefirstphase,TKIPis As discussed in Figure 2, EAP layer covers
used together with an improved message EAPOL, which is a key protocol in IEEE
integrity check (MIC). This is to stop 802.1x for key exchange. Two main schemes
data manipulation. covered in the EAPOL-key exchanges are
° Second phase: In the second phase, definedinIEEEi, 1 2.08 whicharethe4way -
TKIP and MIC are replaced with coun- handshake and the group key handshake.
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
PkMv2-EAP scHEME In wIMAx the IEEE 802.16 standard; PKM version 1 (PKMv1)
(IEEE 802.16) and PKM version 2 (PKMv2). PKMv1, which is
a one-way authentication method, is proven to be
WiMAX (IEEE 802.16) stands for worldwide prone to variety of attacks and is not covered in
interoperability for microwave access, which is this chapter. PKM supports two authentication
maintained by the WiMAX Forum. WiMAX has protocol mechanisms:
similarities with Wi-Fi; however it claims to achieve
higher bandwidth (up to 70 Mbps) over a 70 mile . 1 RSApublickey-basedcertificates,mandatory
(+110 km) range, which outperforms Wi-Fi. There in all devices
are also some similarities between the security 2. EAP
schemes between WMAX’s and IEEE 802.11i.
In this section, the security mechanisms for Authorization via PkM rsA
WiMAX are described. For an end-to-end authen- Authentication Protocol
tication scheme, WiMAX uses extensible authen-
tication protocol with privacy key management Figure 7 shows the authorization and authentication
(EAP-PKM), which relies on the transport layer processes of PKMv2 protocol using a request/grant
security (TLS) standard and public key cryptog- access method. For a SS (PKM client) to have
raphy (“WiMAX Technology,” 2005). PKM is access to the BS network, the PKM server has to
a protocol, which uses the Rivest, Shamir, and authorize the connection and the SS also needs to
Adleman (RSA) public-key scheme, X.509 digital authenticate the BS; after that, the SS will have
certificates,andastrongencryptionscheme security for theenabled. Once the SS associates
features
subscriber station (SS)-base station (BS) interac- with the BS, the SS shares a private encryption
tions. There are two PKM protocols supported in key with the BS and communication between
Figure 7. PKMv2 authentication and authorization process (Adapted from Adibi, Bin, Ho, Agnew, &
Erfani,206)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
the BS and SS can be initiated using encrypted zation, which prevents attackers from gather-
messages. ing enough data to launch cryptanalysis.
5. To correct replay attacks, it is recommended
Authorization via PkM Extensible to add a random value transmitted from BS
Authentication Protocol and SS for SA authorization.
6. WiMAX security supports two strong en-
After the SS is associated to the BS, the EAP au- cryptions algorithms; triple data encryption
thorization procedure starts. Figure 8 shows the standard (3DES) and AES, which are con-
EAPauthorizationandauthenticationow fl sidered
steps:leading edge (AES in particular).
7. The ability of an SS to cache or transfer the
security Analysis of wiMAx master key to avoid a full reauthentication
procedure.
Authentication
8. EAP-PKM relies on the TLS standard that is
based on public key cryptography, which is
The EAP-PKM is intended to secure WiMAX cli-
costly for some wireless vendors. Therefore,
ents and servers in a more robust way. The following
a high performance security processor is
list summarizes the strength of EAP-PKM:
dedicated to BS in WiMAX, which enables
the implementation of a complicated authen-
1. PKMv2 supports mutual authentication,
tication system in WiMAX.
which can prevent man-in-the-middle at-
tacks.
In this section, a WiMAX-based authentication
2. TheX.digital
09 5 certificateissuedforeach
using EAP-TLS and EAP-PKM were presented.
SS is unique and cannot be easily forged.
This included the PKMv2 handshaking schemes.
3. Each service has a unique security associa-
It is believed that WiMAX possesses more ex-
tionidentifierSAID) ( therefore
, ifoneservice
tensive security power compared to the ones in
is compromised, the other services are not
Wi-Fi, which in turn will favor WiMAX in the
affected.
comparative market share.
4. The limited lifetime of authorization key (AK)
provides key-refresh and periodic reauthori-
Figure8.0216eEAPauthenticationprocess(AdaptedfromAdibietal.,206)
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Extensible Authentication (EAP) Protocol Integrations in the Next Generation Cellular Networks
Yan Zhang received the PhD degree in School of Electrical & Electronics Engineering, Nanyang
Technological University, Singapore. From August 2004 to May 2006, he worked with the National
Institute of Information and Communications Technology (NICT), Singapore. Since August 2006, he
has worked with Simula Research Laboratory, Norway (http://www.simula.no/). He is on the editorial
board of the International Journal of Network Security. He is currently serving as the Book Series Edi-
tor for the book series, Wireless Networks and Mobile Communications (Auerbach Publications, CRC
Press, Taylor, and Francis Group). He is serving as co-editor for several books: Resource, Mobility and
Security Management in Wireless Networks and Mobile Communications; Wireless Mesh Networking:
Architectures, Protocols and Standards; Millimeter-Wave Technology in Wireless PAN, LAN and MAN;
Distributed Antenna Systems: Open Architecture for Future Wireless Communications; Security in
Wireless Mesh Networks; Mobile WiMAX: Toward Broadband Wireless Metropolitan Area Networks;
Wireless Quality-of-Service: Techniques, Standards and Applications; Broadband Mobile Multimedia:
Techniques and Applications; Internet of Things: From RFID to the Next-Generation Pervasive Net-
worked Systems; Unlicensed Mobile Access Technology: Protocols, Architectures, Security, Standards
and Applications; Cooperative Wireless Communications; WiMAX Network Planning and Optimiza-
tion; RFID Security: Techniques, Protocols and System-On-Chip Design; Autonomic Computing and
Networking; Security in RFID and Sensor Networks; and Handbook of Research on Wireless Security.
He serves as industrial co-chair for MobiHoc 2008, program co-chair for UIC-08, general co-chair
for CoNET 2007, general co-chair for WAMSNet 2007, workshop co-chair FGCN 2007, program vice
co-chair for IEEE ISM 2007, publicity co-chair for UIC-07, publication chair for IEEE ISWCS 2007,
program co-chair for IEEE PCAC’07, special track co-chair for “Mobility and Resource Management in
Wireless/Mobile Networks” in ITNG 2007, special session co-organizer for “Wireless Mesh Networks”
in PDCS 2006, and he is a member of Technical Program Committee for numerous international confer-
ence, including CCNC, AINA, GLOBECOM, ISWCS, ICC, and so forth. He received the Best Paper
Award and Outstanding Service Award as Symposium Chair in the IEEE 21st International Conference
on Advanced Information Networking and Applications (AINA-07). His research interests include
resource, mobility, energy, and security management in wireless networks and mobile computing. He
is a member of IEEE and IEEE ComSoc.
Jun Zheng received the BS and MS degrees in electrical engineering from Chongqing University,
China, in 1993, 1996, respectively, the MSE degree in biomedical engineering from Wright State Univer-
sity, Dayton, Ohio, in 2001, and the PhD degree in computer engineering from University of Nevada, Las
Vegas in 2005. Currently he is an assistant professor in the Department of Computer Science at Queens
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
About the Contributors
College of The City University of New York. He is also a member of the faculty of the doctoral program
in computer science at the Graduate School and University Center of The City University of New York.
He is the co-editor for two books: Security in Wireless Mesh Networks and Handbook of Research on
Wireless Security. He served as general co-chair for WAMSNet-07, track co-chair for ITNG 2007, and
session co-organizer for PDCS 2006. He also served as TPC member for several international confer-
ences. His research interests are mobility and resource management in wireless and mobile networks,
media access control, performance evaluation, network security, computer architectures, fault-tolerant
computing, and image processing. He is member of IEEE.
Miao Ma received the BEng. and MEng. degrees in electrical engineering from Harbin Institute
of Technology, China, respectively, and the PhD degree in electrical and electronic engineering from
Nanyang Technological University (NTU), Singapore. From August 2002 to December 2006, she worked
at the Institute for Infocomm Research (I2R), Singapore. Since January 2007, she has been working
at the Hong Kong University of Science and Technology (HKUST). She is a member of IEEE. Her
research interests include media access control, cognitive radio, security, wireless communications,
and networking.
* * * * *
Gordon B. Agnew received his BASc and PhD in electrical engineering from the University of Wa-
terloo in 1978 and 1982, respectively. He joined the Department of Electrical and Computer Engineering
at the University of Waterloo in 1982. In 1984, he was a visiting professor at the Swiss Federal Institute
of Technology in Zurich where he started his work on cryptography. Dr. Agnew’s areas of expertise
include cryptography, data security, protocols and protocol analysis, electronic commerce systems,
high-speed networks, wireless systems, and computer architecture. He has taught many university
courses and industry sponsored short courses in these areas as well as having authored many articles.
In 1985, he joined the Data Encryption Group at the University of Waterloo. The work of this group led
tosignificantadvancesintheareaofpublickeycryptographicsystemsincludingthede
practical implementation of elliptic curve-based cryptosystems. Dr. Agnew is a member of the Institute
for Electrical and Electronics Engineers, a foundation fellow of the Institute for Combinatorics and its
Applications, and a registered professional engineer in the Province of Ontario. Dr. Agnew has provided
consulting services to the banking, communications, and government sectors. He is also a co-founder
of CERTICOM Corp., a world leader in public key cryptosystem technologies.
About the Contributors
Sheikh Iqbal Ahamed is an assistant professor in the Department of Mathematics, Statistics, and
Computer Science at Marquette University and director of the Ubicomp Research Lab. His research
focuses on pervasive security, trust, and privacy for pervasive computing. He received the PhD in com-
puter science from Arizona State University and the BS from the Bangladesh University of Engineering
and Technology.
Christer Andersson is a doctoral student at Karlstad University, Sweden, and his main research topic
is designing and evaluating technologies for anonymous communication in mobile networks. He has
proposed anonymity technologies for both infrastructured and infrastructureless mobile networks. He is
furthermore interested in measuring the degree of anonymity and performance in mobile networks, as
wellasfindinganappropriatetrade-offbetweenanonymityandperformance.HeholdsaLice
engineering degree from Karlstad University (2005), and a Master Degree in computer science (2002)
from Linköping University, Sweden.
AbdelBaset M.H. Awawdeh received the BEng degree in industrial automation engineering from
Palestine Polytechnic University in 1999 and the MSE and PhD degrees in electronics engineering from
Alcala University in 2004. From 1999 to 2000 he joined the Department of Electrical and Computer
Engineering at Palestine Polytechnic University, Palestine. Since 2004, he has held a researcher position
in the Department of Electronics at University of Alcala, Spain. His technical interests include multiagent
system interaction and design, vehicles on-board electronics, and vehicles fault diagnosis system.
Mohamad Badra is employed by the CNRS ( National Center for Scientific Research, France)
researching wireless networks security. Badra performs his research activities at the LIMOS Labora-
tory - UMR6158, University Blaise Pascal. He was a postdoctoral fellow at the Computer Science and
Networks Department, ENST-Paris. His research interests include key exchange, wireless security,
public-key infrastructures, smart cards, and security algorithms. Badra received a PhD in networks and
computer sciences from ENST-Paris. He is a member of the IEEE and of ESRGroups.
Sungmin Baek received his BS degree in School of Information and Communication Engineering,
Sung Kyun Kwan University in 2004 and an MS degree from Department of Computer Engineering
and School of Computer Science and Engineering, Seoul National University in 2006. Currently, he is
a research engineer in information and technology laboratory, LG Electronics Institute of Technology.
His research interests include multimedia transmission over wireless network and wireless personal
area networks.
Javier A. Barria received the BSc degree in electronic engineering from the University of Chile,
Santiago, in 1980, and the PhD and MBA degrees from Imperial College London in 1992 and 1998,
respectively. From 1981 to 1993, he was a system engineer and project manager (network operations)
with the Chilean Telecommunications Company. Currently, he is a reader in the Intelligent Systems
and Networks Group, Department of Electrical and Electronic Engineering, Imperial College London.
His research interests include communication networks monitoring strategies using signal and image
processing techniques, distributed resource allocation in dynamic topology networks, and fair and
efficient resource allocation in IP environments. He has been a joint holder of sever
European Union project contracts all concerned with aspects of communication systems design and
About the Contributors
management. Dr. Barria was a British Telecom Research Fellow (2001 – 2002) and a Tan Chin Tuan
Research Fellow, NTU Singapore (2003 - 2004). He is a fellow member of IEE, member of IEEE, and
a chartered engineer.
Paolo Bellavista graduated from University of Bologna, Italy, where he received PhD degree in
computer science engineering in 2001. He is now an associate professor of computer engineering at
the University of Bologna. His research activities span from mobile agent-based middleware solutions
and pervasive wireless computing to location/context-aware services and adaptive multimedia. He is
member of IEEE and Italian Association for Computing (AICA). He is an associate technical editor of
the IEEE Communication Magazine.
Soong Boon-Hee received his BEng (honors I) degree in electrical and electronic engineering from
University of Auckland, New Zealand and a PhD degree from the University of Newcastle, Australia
in 1984 and 1990, respectively. He is currently an associate professor with the School of Electrical and
Electronic Engineering, Nanyang Technological University. From October 1999 to April 2000, he was
a visiting research fellow at the Department of Electrical and Electronic Engineering, Imperial College,
UK under the Commonwealth Fellowship Award. He was awarded the Tan Chin Tuan Fellowship to
visit the Centre for Advanced Computing and Communications, Duke University in June 2004. He also
served as a consultant for mobile IP in a recent technical field trial of next-generati
initiated by IDA (InfoComm Development Authority, Singapore). His area of research interests includes
mobile ad hoc and sensor networks, mobility issues, mobile IP, optimization of wireless networks, rout-
ing algorithms, optimization and planning of mobile communication networks, queuing theory system
theory, quality of service issues in high-speed networks, and signal processing. He has served as a
reviewer for a number of IEEE top journals and international conferences. He has served on Technical
Program Committee for IEEE Globecom 2004, 2005, 2006, and 2007, IEEE WCNC 2005, and IEEE
ISWCS 2004, 2005, 2006, and 2007. He is currently organizing co-chair of IEEE Vehicular Technol-
ogy Conference, Spring 2008 to be held in Singapore. He is currently on the technical committee ISO
204/WG16 that tracks developments in the intelligent transport sector. He is listed in Marquis Who’s
Who in Science and Engineering 2006-2007. He has published more than one hundred international
journals and conferences. He is a senior member of IEEE and a member of ACM.
John Buford is a research scientist with Avaya Labs. Previously he was a lead scientist at the Panasonic
Princeton Laboratory, VP of Software Development at Kada Systems, director of Internet Technologies
at Verizon, and chief architect-OSS at GTE, Laboratories. Earlier he was tenured associate professor
of computer science at the University of Massachusetts Lowell, where he also directed the Distributed
Multimedia Systems Laboratory. He has authored or co-authored ninety refereed publications and the
About the Contributors
book Multimedia Systems. He is an IEEE senior member and is co-chair of the IRTF Scalable Adaptive
Multicast Research Group. He holds the PhD from Graz University of Technology, Austria, and MS
and BS degrees from MIT.
Mihaela Cardei is an assistant professor in the Department of Computer Science and Engineering at
Florida Atlantic University, and director of the NSF-funded Wireless and Sensor Network Laboratory.
Dr. Cardei received her PhD and MS in computer science from the University of Minnesota, Twin Cit-
ies, in 2003 and 1999, respectively. Her research interests include wireless networking, wireless sensor
networks, network protocol and algorithm design, and resource management in computer networks.
Dr. Cardei is a recipient of the 2007 Researcher of the Year Award at Florida Atlantic University. She
is a member of IEEE and ACM.
Luca Caviglione (M.D. 2002, Ph.D. 2006) participated in several research projects funded by the
EU, by ESA, and by Siemens COM AG. He is author and co-author of many academic publications
about TCP/IP networking, P2P systems, QoS architectures, and wireless networks. He is a member
of the Italian IPv6 Task Force and he participates in several TPCs and performance talks about IPv6
and P2P. He is with the Institute of Intelligent Systems for Automation (ISSIA) – Genoa Branch of the
National Research Council of Italy.
Symeon Chatzinotas has a BSc in electrical and computer engineering from Aristotle University of
Thessaloniki and a MSc in microwave engineering and wireless subsystem design from University of
Surrey. Since 2006 he has been working on his PhD at the Centre for Communication Systems Research,
University of Surrey. His current research interests include mobile networking, wireless security, and
network information theory.
About the Contributors
Thomas Chen is an associate professor at Southern Methodist University. Prior to joining SMU, he
worked on ATM research at GTE Laboratories (now Verizon). He has been the editor-in-chief of IEEE
Communications Magazine since 2006. He also serves as senior technical editor for IEEE Network, and
was the founding editor of IEEE Communications Surveys. He co-authored ATM Switching Systems
(Artech House 1995). He received the IEEE Communications Society’s Fred W. Ellersick Best Paper
Award in 1996.
Yifan Chen received the BEng and PhD degrees in electrical and electronic engineering from Nan-
yang Technological University (NTU), Singapore, in 2002 and 2006, respectively. He is presently with
the Biomedical Engineering Research Centre, NTU, as a research fellow. His current research interests
involve ultra-wideband (UWB) radar system for biomedical applications including microwave imaging
of human tissues and noncontact vital-signs monitoring, statistical modeling of mobile radio channels,
UWB signal processing for wireless communications and geolocation systems, multiple-antenna system
performance analysis, and wireless networks.
Zhijia Chen is currently a PhD student in Department of Computer Science and Technology, Tsin-
ghua University. He is a visiting graduate student at School of Engineering of Stanford in Spring 2007.
His research area is in P2P networking and media streaming. He has published four academic papers
in area of P2P streaming, protocol modeling, and so forth. He is the International First Prize winner in
American Mathematical Contest in Modeling (MCM 2004 Meritorious Winners). He is also the network
session chair in 1st Beijing-Hong Kong Doctoral Forum on Network and Media 2006.
Yanghee Choi received BS in electronics engineering from Seoul National University, MS in elec-
trical engineering from Korea Advanced Institute of Science, and Doctor of Engineering in computer
science from Ecole Nationale Superieure des Telecommunications (ENST) in Paris, in 1975, 1977, and
1984, respectively. He was with the Electronics and Telecommunications Research Institute (ETRI)
during 1977-1991. He is now leading the Multimedia and Mobile Communications Laboratory in Seoul
National University. He is also director of Computer Network Research Center in Institute of Computer
Technology (ICT). He is vice-president of Korea Information Science Society. His research interest lies
inthefieldofmultimediasystemsandhigh-speednetworking.
Mohammad M. R. Chowdhury is working toward the PhD degree in the University Graduate Center
at Kjeller (UniK)/University of Oslo, Norway in the area of user mobility and service continuity. He
received his MSc from Helsinki University of Technology in radio communications. His current areas of
interest are identity and identity based service interactions, seamless user experience in heterogeneous
wireless networks, and development of innovative service concepts for mobile operators.
Tomasz Ciszkowski received MSc degree in electronics and computer engineering from Faculty of
Electronics and Information Technology of Warsaw University of Technology (WUT), Poland, in 2004.
Currently, he is working toward a PhD degree in telecommunications at WUT on reputation service in
anonymous ad hoc networks. Since 2004 he has been working for Polish Telecom in multimedia services
division.HisresearchactivitiesarereflectedinEuropeanresearchprojectsonnext
(EuroNGI) and end-to-end QoS support over heterogeneous networks (EuQoS).
About the Contributors
Amitabha Das obtained his BTech (honors) degree in electronics and electrical communication
engineering from the Indian Institute of Technology, Kharagpur in 1985, and his PhD in computer
engineering from the University of California, Santa Barbara, in 1991. Currently he is an associate
professor in the School of Computer Engineering in Nanyang Technological University, Singapore. His
research interests include wireless and mobile networks, network security, and intrusion detection. He
is a senior member of IEEE.
Robert H. Deng received his Bachelor from National University of Defense Technology, China, and
his MSc and PhD from the Illinois Institute of Technology. He has been with the Singapore Management
University since 2004, and is currently a professor, associate dean for Faculty & Research, and director
of SIS Research Center, School of Information Systems. Prior to this, he was principal scientist and
manager of Infocomm Security Department, Institute for Infocomm Research, Singapore. He has 26
patents and more than 200 technical publications in international conferences and journals in the areas
of computer networks, network security, and information security. He served as general chair, program
committee chair, and member of numerous international conferences, including PC co-chair of the 2007
ACM Symposium on Information, Computer and Communications Security. He received the University
Outstanding Researcher Award from the National University of Singapore in 1999 and the Lee Kuan
Yew Fellow for Research Excellence from the Singapore Management University in 2006.
Mieso Denko is an associate professor of computing and information science at the University of
Guelph, Ontario, Canada. He received his BSc degree in statistics and mathematics from Addis Ababa
University. He received his MSc degree form the University of Wales, UK, and his PhD degree from
the University of Natal, South Africa, both in computer science. His current research interests include
wireless ad hoc networks, wireless mesh networks, wireless sensor networks, pervasive computing, and
networking. He has published numerous research papers in international journals, conferences, work-
shops, and contributed to book chapters. Currently he is co-editing three books in the above areas. Dr.
Denko has been actively involved in professional services as organizer or co-organizer of international
conferences, symposiums, and workshops, as well as TPC member for a number of conferences and
workshops. Among these, most recently he was the general co-chair of the IEEE PCAC-07, general
vice-chair of ISPA-07 and program vice-chair of IEEE AINA-07. Currently he is a program vice-chair
of the IEEE AINA-08, and co-organizer and program co-chair of the IEEE MHWMN-07 and IST-
AWSN-07. Dr. Denko is a senior member of the ACM, a member of the IEEE, ACM SIGMOBILE,
IEEE Communications Society, and IEEE Computer Society. Currently, he is an associate professor of
computing and information science at the University of Guelph, Ontario, Canada.
Yacine Djemaiel holds a Master Degree in telecommunications and he is currently preparing his
PhD thesis in telecommunications in the Engineering School of Communications (SUP’COM, Tuni-
sia). He is conducting research activities in the area of intrusion detection and tolerance and digital
investigation of security incidents. Since September 2006, Mr. Djemaiel has been a teacher assistant
in telecommunications.
Felipe Espinosa got the BSc and MSc degrees in telecommunications from Polytechnics University
of Madrid (Spain) in 1984 and 1991, respectively. He received the PhD degree in telecommunications
from University of Alcala (Spain) in 1998. He was a lecturer from 1985 to 2000 and has been an associ-
About the Contributors
ate professor since 2000, always in the Electronics Department at the University of Alcalá (Spain). His
main research interests include electronic control and communication applied to cooperative guidance
of robots and vehicles, as well as intelligent transportation systems.
Simone Fischer-Hübner has been a full professor at the Computer Science Department of Karlstad
University since June 2000, where she is the head of the PriSec (Privacy & Security) research group. She
received Doctoral (1992) and Habilitation (1999) degrees in computer science from Hamburg University.
Her research interests include technical and social aspects of IT-security, privacy, and privacy-enhancing
technologies. She was a research assistant/assistant professor at Hamburg University (1988-2000) and
a guest professor at the Copenhagen Business School (1994-1995) and at Stockholm University/Royal
Institute of Technologies (1998-1999).
J. Antonio Garcia-Macias holds a PhD from the Institut National Polytechnique de Grenoble
(INPG), France. He is currently a researcher at CICESE Research Center, working in the Computer Sci-
ence Department. His current research interests are wireless (ad hoc and sensors) networks, ubiquituous
computing, next-generation Internet services and protocols, and distributed collaborative systems.
Kaj J. Grahn, Dr. Tech. from Helsinki University of Technology, is presently a senior lecturer in
telecommunications at the Department of Business Administration, Media, and Technology at Arcada
Polytechnic, Helsinki, Finland. His current research interests include mobile and wireless networking
and network security.
Stefanos Gritzalis holds a BSc in physics, an MSc in electronic automation, and a PhD in informatics,
all from the University of Athens, Greece. Currently he is an associate professor, the head of the Depart-
ment of Information and Communication Systems Engineering, University of the Aegean, Greece, and
the director of the Laboratory of Information and Communication Systems Security (Info-Sec-Lab). His
publishedscientificworkincludesseveralbooksandmorethanjournal 05 1 andinternat
papers. The focus of these publications is on information and communication systems security. He was
a member (secretary general, treasurer) of the Board of the Greek Computer Society.
Yong Guan is an assistant professor in the Department of Electrical and Computer Engineering
at Iowa State University. He received his BS (1990) and MS (1996) in computer science from Peking
University, China, and his PhD (2002) in computer science from Texas A&M University. His research
interests are computer and network forensics, wireless and sensor network security, and privacy-enhanc-
ing technologies for the Internet. He received the Best Student Paper Award from the IEEE National
Aerospace and Electronics Conference in 1998, won 2nd place in the graduate category of the Interna-
tional ACM Student Research Contest in 2002, and was named the Litton Assistant Professor by Iowa
State University in 2007.
Mohamed Hamdi received his Engineering Diploma, Master Diploma, and PhD in telecommunica-
tions from the Engineering School of Communications (Sup’Com, Tunisia) in 2000, 2002, and 2005,
respectively.From1to 02 05he
2 workedfortheNationalDigitalCertificationAgency - ( NDCA,Tu
nisia) where he was head of the Risk Analysis Team. Dr. Hamdi was in charge in building the security
strategyfortheTunisianRootCertificationAuthorityandincontinuouslyassessin
About the Contributors
NDCAs networked infrastructure. He has also served on various national technical committees for se-
curing e-government services. Currently, Dr. Hamdi is serving as a contract lecturer for the Engineering
School of Communications at Tunis. He is also a member of the Communication Networks and Security
Lab (Coordinator of the Formal Aspects of Network Security Research Team), where he is conducting
researchactivitiesintheareasofriskmanagement,algebraicmodeling, - relationals
sion detection, network forensics, and wireless sensor networks
Munirul M. Haque is currently a PhD student at Purdue University. He received the MS degree
in computer science at Marquette University where he researched pervasive computing, security, and
privacy in the Ubicomp Research Lab. He completed the BS in computer science and engineering from
Bangladesh University of Engineering and Technology.
Jahan Hassan is a research fellow at the School of Information Technologies, University of Sydney.
She received her PhD in 2004 from University of New South Wales, Sydney, and Bachelor degree in
1995 from Monash University, Melbourne, both in computer science. She is published widely in peer-
reviewed conferences and journals. She was a member of the Technical Program Committee of IEEE
LCN 2006, IEEE ICC 2007, IEEE ISWPC 2007, IADIS AC 2006, and IADIS WAC 2007. She served
as a reviewer for many conferences and journals. Her research interests include mobile and wireless
networking architectures and wireless network security. Her current project focuses on the fast authen-
tication techniques for multiprovider access networks.
Artur Hecker received a diploma in computer science (Dipl.inform.) from the University of Karl-
sruhe (TH), Germany in 2001. In 2005, he received a PhD degree in computer science and networking
from the ENST, France. After his thesis, he worked as CTO of Wavestorm SAS, which he co-founded
in 2003. Since 2006, Dr. Hecker holds a position as associate professor at the INFRES department at
the ENST. His present research interests are wireless access security, security assurance of complex
systems, network and service management, and autonomous networking. Dr. Hecker is actively involved
in several IST FP6 and EUREKA CELTIC research activities.
Silke Holtmanns received her PhD in mathematics from the University of Paderborn (Germany),
Department of Computer Science and Mathematics. She has been a senior researcher at Nokia Research
Center since 2004. Before that, she was working in Ericsson Research Lab Aachen (Germany) as a
masterresearchengineerandattheUniversityofPaderbornasascientificassistant
30 publications and co-authored several books on mobile security. She is also rapporteur of six 3GPP
securityspecificationsandreportsandinvolvedinvariousstandardizationactiv
Ismail Khalil Ibrahim is a senior researcher and lecturer at the Institute of Telecooperation- Jo-
hannes Kepler University Linz, Austria, where he teaches, consults, and conducts research in mobile
multimedia applications and services, agent technologies, and information integration. He received his
MSc and PhD in computer engineering and information systems from Gadja Mada University, Indonesia.
Dr. Ibrahim previously served as a research fellow at Intelligent Systems Group in the Netherlands and
as project manager at the Software Competence Center Hagenberg, Austria. He is the editor-in-chief of
Advances in Next Generation Mobile Multimedia book series and Journal of Mobile and Multimedia
Communications, and co-editor in chief of the International Journal of Web Information Systems (JWIS)
About the Contributors
and the Journal of Mobile Multimedia (JMM). His research interests also include business, social, and
policy implications associated with the emerging Web technologies.
Biju Issac is a lecturer in the School of IT and Multimedia in Swinburne University of Technology
(Sarawak Campus), Malaysia. He is also the head of Network Security Research Group in the Informa-
tion Security Research Lab at Swinburne University Sarawak. He is an electronics and communication
engineer with a post graduate degree in computer applications. Currently he is doing part-time PhD in
networking and mobile communications in UNIMAS, Malaysia. His research interests are in wireless
and network security, wireless mobility, and IPv6 networks.
Tao Jiang is a research scientist at the Department of Electronic and Computer Engineering, University
of Michigan, Dearborn. He received BS and MS degrees in applied geophysics from China University of
Geosciences, Wuhan in 1997 and 2000, respectively, and a PhD degree in information and communication
engineering from Huazhong University of Science and Technology, Wuhan, P. R. China in April 2004.
From August 2004 to August 2005, he worked at Brunel University, London, as an academic visiting
scholar, and then moved to University of Puerto Rico in 2006. His current research interests include
the areas of wireless communications and corresponding signal processing, especially for OFDM and
MIMO systems, cooperative networks, cognitive radio, and ultra wideband communications.
John Felix Charles Joseph is currently pursuing PhD in computer science from Nanyang Techno-
logical University, Singapore. His research interests include security in wireless and ad hoc networks,
computational intelligence, multicast routing security, and multimedia. He received his Bachelor in
engineering, computer science from Madras University, India in 2002 and MS from Anna University,
India in 2005. His current work involves design of an intrusion detection algorithm for mobile wireless
ad hoc network environment.
Admela Jukan is a professor in electrical and computer engineering at the Technical University
Carolo Wilhelmina in Braunschweig, Germany. Prior to coming to TU Braunschweig, she was with
University of Illinois at Urbana Champaign (UIUC), Georgia Tech (GaTech), University of Quebec
(EMT-INRS), and Vienna University of Technology (TU Wien). From 2002-2004, she served as program
director in computer and networks system research at the National Science Foundation (NSF) in Arling-
ton, VA. While at NSF, she was responsible for funding and coordinating US-wide university research
and education activities in the area of network technologies and systems. She received the MSc degree
in information technologies and computer science from the Polytechnic of Milan, Italy, and the PhD
degree (cum laude) in electrical and computer engineering from the Vienna University of Technology
(TUWien)Austria.
, Dr.Jukanistheauthorofnumerouspapersinthefieldofnetworking,andshe
authored and edited several books. She serves as a member of the Quality Assurance Committee for the
EU Network of Excellence, ePhoton/One. Dr. Jukan has chaired and co-chaired several international
conferences, including IFIP ONDM, IEEE ICC, and IEEE GLOBECOM. She serves on the editorial
board of the IEEE Communications Surveys and Tutorials. She is a senior member of the IEEE.
György Kálmán is a graduate student at UniK, University Graduate Center in Kjeller, Norway. His
research area covers personal and device authentication, security, and privacy in wireless systems. He
got his MSc degree in the area of communication networks from the Budapest University of Technology
and Economics. He was research fellow at Telenor R&I at the Media Platforms group.
0
About the Contributors
Georgios Kambourakis received the diploma in applied informatics from the Athens University
of Economics and Business and the PhD in information and communication systems engineering from
the Department of Information and Communications Systems Engineering of the University of Aegean.
He also holds a MEd from Hellenic Open University. Dr. Kambourakis is a lecturer in the Department
of Information and Communication Systems Engineering of the University of the Aegean, Greece.
Hisresearchinterestsareinthefieldsofmobileandadhocnetworkssecurity,VoIPsec
protocols, and PKI, and he has more than 35 publications in the above areas.
Jonny Karlsson has a BSc in information technology from Arcada Polytechnic, Helsinki Finland.
Since May 2002 he has been working at Arcada Polytechnic as a course assistant and course teacher
in programming and network security related courses and as a research assistant. His current research
interests include wireless and mobile network security.
Paris Kitsos received the BSc degree in physics in 1999 and a PhD in 2004 from the Department
of Electrical and Computer Engineering, both at the University of Patras. Currently is research fellow
with the Digital Systems & Media Computing Laboratory, School of Science & Technology, Hellenic
Open University (HOU). His research interests include VLSI design, hardware implementations of
cryptographic algorithms, and security protocols for wireless communication systems. Dr. Kitsos has
publishedmorethanscientific 60 articlesandtechnicalreports,aswellasisreviewin
books, international journals, and conferences/workshops in the areas of his research. He has partici-
pated in international journals and conferences organization, as program/technical committee member
and guest editor.
Giorgos Kostopoulos received his diploma in electrical and computer engineering from the Elec-
trical & Computer Engineering Department, University of Patras, Greece in 2003. Since then he has
been working as a researcher engineer in the Department of Electrical and Computer Engineering of
the University of Patras. His research interests include security in wireless networks, new generation
networks architectures, security management in new generation networks, and communication networks.
Giorgos Kostopoulos has published more than 15 technical papers and book chapters in these areas. He
has also participated as senior engineer in European Research Projects.
Zbigniew Kotulski received his MSc in applied mathematics from Warsaw University of Technology
and PhD and DSc degrees from Institute of Fundamental Technological Research of the Polish Acad-
emy of Sciences. He is currently professor at IFTR PAS and professor and head of Security Research
Group at Department of Electronics and Information Technology of Warsaw University of Technology,
Poland. He is the author and co-author of three books and more than 150 research papers on applied
mathematics, cryptology, and information security.
Odysseas Koufopavlou received the Diploma of Electrical Engineering in 1983 and the PhD degree
in electrical engineering in 1990, both from University of Patras, Greece. From 1990 to 1994 he was at
the IBM Thomas J. Watson Research Center, Yorktown Heights, NY. He is currently a professor with
the Department of Electrical and Computer Engineering, University of Patras. His research interests
include computer networks, high performance communication subsystems architecture and implementa-
tion, VLSI low power design, and VLSI crypto systems. Dr. Koufopavlou has published more than 150
About the Contributors
technical papers and received patents and inventions in these areas. He has participated as coordinator
or partner in many Greek and European R&D programs. He served as general chairman for the IEEE
ICECS’1999.
Geng-Sheng (G.S.) Kuo worked with R&D laboratories of the communications industry in the
United States, such as AT&T Bell Laboratories. In August 2000, he joined National Chengchi University,
Taipei, Taiwan as a professor. Since 2001, he has been invited as chair professor of Beijing University of
Posts and Telecommunications (BUPT) in Beijing, China. His current research interests include mobile
communications, wireless communications, and IP-networks. From 2001 to 2002, he was editor-in-chief
of IEEE Communications Magazine, whose impact factor in 2002 was 3.165. Currently, he is area editor
for Networks Architecture of IEEE Transactions on Communications, editor and ComSoc representative
to IEEE Internet Computing, editor of European Transactions on Telecommunications, and so forth.
Taekyoung Kwon is an assistant professor in Multimedia & Mobile Communications Lab., School
of Computer Science and Engineering, Seoul National University He received his PhD, MS, and BS
degrees in computer engineering from Seoul National University in 2000, 1995, and 1993, respectively.
He was a visiting student at IBM T. J. Watson Research Center in 1998 and a visiting scholar at the
University of North Texas in 1999. His recent research areas include radio resource management, wire-
less technology convergence, mobility management, and sensor network.
Pekka Laitinen received his MSc degree in information sciences in Helsinki University of Technol-
ogy, Department of Engineering Physics and Mathematics. He is principal engineer in Nokia Research
Center where he has been working since 1996. His research interests include identity management and
applied security.
Björn Landfeldt received a BSc equivalent from the Royal Institute of Technology in Sweden. He
received his PhD from The University of New South in 2000. Afterwards he joined Ericsson Research
in Stockholm as a Senior Researcher. In 2001, Dr. Landfeldt took up a position as a CISCO senior
lecturer in Internet Technologies at the University of Sydney. He has published more than 50 publica-
tions in international books, journals, and conferences. Dr. Landfeldt is serving on the editorial boards
of international journals and as a program committee member of many international conferences. His
research interests include wireless systems, systems modeling, mobility management, and QoS.
Peter Langendoerfer received his doctoral degree in 2001. Since 2000 he has been with the IHP in
Frankfurt (Oder) where he is leading the mobile middleware group. He has published more than 55 refer-
eedtechnicalarticles,filedsevenpatentsinthesecurity/privacyarea,andworkedasg
Journal of Super Computing (Kluwer), Computer Communications (Elsevier), Wireless Communications
and Mobile Computing (Wiley), and ACM Transactions on Internet Technology. He is/was also a TPC
member/chair of many conferences. His research interests include mobile communication (especially
privacy and security issues), protocol engineering, and automated protocol implementation.
Shahram Latifi, an IEEE fellow, received the Master of Science degree in electrical engineering
from Fanni, Teheran University, Iran in 1980. He received the Master of Science and the PhD degrees
both in electrical and computer engineering from Louisiana State University, Baton Rouge in 1986 and
About the Contributors
1989, respectively. He is currently a professor of electrical engineering at the University of Nevada, Las
VegasanddirectoroftheCenterforInformationandCommunicationTechnologiesCICT) ( Dr.
. Lat
designed and taught graduate courses on security, image processing, computer networks, fault tolerant
computing, and data compression in the past 16 years. He has given seminars on the aforementioned
topics all over the world. He has authored over 120 technical articles in the areas of image processing,
document analysis, computer networks, fault tolerant computing, parallel processing, and data com-
pression. His research has been funded by NSF, NASA, DOE, Boeing, Lockheed, and Cray Inc. Dr.
LatifiisanassociateeditoroftheIEEETransactionsonComputersandco-founderandgen
of the IEEE International Conference on Information Technology. He is also a registered professional
engineer in the State of Nevada.
Bu-Sung Lee received his BSc (honors) and PhD from the Electrical and Electronics Department,
Loughborough University of Technology, UK in 1982 and 1987, respectively. He is currently associate
chair (research) with the School of Computer Engineering, Nanyang Technological University. He is
also the founding president of Singapore Research and Education Networks (SingAREN). He has been
an active member of several national standards organization such as the National Grid Pilot Project.
His research interests are in network management, broadband, distributed, ad hoc and mobile networks,
network optimization, as well as grid computing.
Supeng Leng is an associate professor in the School of Communication and Information Engineering,
University of Electronic Science and Technology of China (UESTC). He received his BEng degree from
UESTC in 1996, and PhD degree from Nanyang Technological University (NTU), Singapore in 2005.
HehasexperienceasaR&Dengineerinthefieldofcomputercommunications,andasaresearch
in the Network Technology Research Center, NTU. His research focuses on ad hoc/sensor networks,
wireless mesh networks, and broadband wireless networks.
Mo Li received the BE from Beijing University of Posts and Telecommunications. Then, he worked
for Lucent Technologies and Computer Associates (CA), where he has been involved in the design of
system architectures for DWDM/SDH/IP Backbone O&M systems. He is currently working toward the
PhD at the Faculty of Engineering, University of Technology, Sydney. His research interests include
handover management and trust-assisted networking.
Xinghua Li obtained his ME and Ph D degrees in computer architecture and computer application
from Xidian University (Xi’an) in 2004 and 2006, respectively. Currently, Xinghua Li is the lecturer of
the School of Computer of Xidian University. His research interests include information and network
security.
About the Contributors
Shiguo Lian, member of IEEE, SPIE, and EURASIP, got his PhD degree in multimedia security
from Nanjing University of Science and Technology in July 2005. He was a research assistant at City
University of Hong Kong from March to June in 2004, studying on multimedia encryption. He has
being with France Telecom R&D Beijing since July 2005, focusing on multimedia content protection,
including digital rights management (DRM), image or video encryption, watermarking and authentica-
tion, and so forth.
Chuang Lin is a professor and the former head of the Department of Computer Science and Technol-
ogy, Tsinghua University, Beijing, China. He received his PhD degree in computer science from Tsinghua
University in 1994. Professor Lin is a senior member of the IEEE, the Chinese Delegate in TC6 of IFIP,
and has served as associate editor for several journals. His current research interests include computer
networks, performance evaluation, logic reasoning, and Petri net theory and its applications. He has
co-authored more than 200 papers in research journals and IEEE conference proceedings in these areas
and has published three books.
Bin Lu is an assistant professor in the Department of Computer Science at West Chester University
of Pennsylvania. Dr. Lu received her BS (1996) and MS (1998) degrees in computer science from Harbin
Institute of Technology, China, and her PhD (2005) in computer science from Texas A&M University.
Her research interests include network security, quality of service, and wireless networks.
Jianfeng Ma received his BS degree in mathematics from Shaaxi Normal University (Xi’an) in 1985,
and obtained his ME and PhD degrees in computer software and communications engineering from
Xidian University (Xi’an) in 1988 and 1995, respectively. Professor Ma is a member of the executive
council of the Chinese Cryptology Society. Currently, Professor Ma is the director of the Ministry of
Education Key Laboratory of Computer Networks and Information Security, and he is the dean of the
School of Computer of Xidian University. His research interests include information security, coding
theory, and cryptography.
Ismat K. Maarouf obtained his BS degree in computer engineering in 2005 and an MS degree in
computer networks in 2007 from King Fahd University of Petroleum and Minerals (KFUPM), Dhahran,
Saudi Arabia. He is currently working as a research assistant in the Computer Engineering Department
in KFUPM. His main research interests include mobile ad hoc and wireless sensor networks, computer
networks security, reputation systems, and WLAN-Cellular networks integration.
Michael Maaser received his Master’s degree in computer science from Brandenburg University
of Technology Cottbus in 2004. After his thesis about negotiation of privacy he started as a research
scientist at IHP. His research focuses on privacy preserving techniques mainly, but not limited to, the
fieldoflocationbasedservices.Throughouttherecentyears 2 hehassevenpublication
theareaofprivacyandtwofiledpatents.
Ashraf S. Hasan received the BSc degree in electrical and computer engineering from Kuwait Uni-
versity in 1990, and the MEng in engineering physics (computer systems) from McMaster University,
Hamilton, Canada in 1992. He received his PhD in systems and computer engineering from Carleton
University, Ottawa, Canada in 1997. During 1997-2002, he was with Nrtel Networks Research and De-
About the Contributors
velopment where he focused on development and evaluation of radio resource management algorithms
for broadband and 3G networks. Since 2002, he has been with the Computer Engineering Department at
King Fahd University of Petroleum and Minerals, Dhahran, KSA as an assistant professor. His research
interests include radio resource management for 3rd and 4th G networks, wireless local area networks,
and integration of heterogeneous networks.
Amel Meddeb Makhlouf received the engineering eegree (in 2001) and the Master degree in com-
munications (in 2003) from the Engineering School of Communications (SUP’COM, Tunisia). She is
member of the Communication Networks and Security (CN&S) Research Laboratory (University of
November 7th, Carthage, Tunisia). Since September 2004, she has joined the Engineering School of
Communications (SUP’COM, TUNISIA) as a teacher assistant in telecommunications.
Leonardo A. Martucci is a doctoral student at Karlstad University, Sweden, where he works with
research on privacy enhancing technologies for wireless environments. He is involved in education,
research,deployment,andindustrialprojectsinthefieldofwirelessnetworksecuri
2001. Mr. Martucci’s research is focused especially in privacy problems in dynamic and distributed
environments, such as mobile ad hoc networks. He holds a Licentiate in engineering from Karlstad
University (2006), a Masters in electrical engineering (2002), and an electrical engineer degree (2000)
from University of São Paulo, Brazil.
Geyong Min is a senior lecturer in the Department of Computing at University of Bradford, United
Kingdom. He received the PhD degree in computing science from University of Glasgow, UK, in 2003.
Hisresearchinterestsincludeperformancemodelingandsimulation,networktrafficen
computing and wireless networks, multimedia systems, and information security. Dr. Min has published
over 100 research papers in the well-established journals and conferences. Dr. Min serves on the edito-
rial board of the International Journal of Wireless and Mobile Computing and Journal of Simulation
Modeling Practice and Theory, and serves as the guest editor for 10 international journals.
Rebecca Montanari graduated from University of Bologna, Italy, where she received PhD degree in
computer science engineering in 2001. She is now an associate professor of computer engineering at the
University of Bologna. Her research primarily focuses on policy-based networking and systems/service
management, mobile agent systems, security management mechanisms, and tools in both traditional
and mobile systems. She is member of IEEE and AICA.
Luminita Moraru is currently a PhD candidate in the TCS-sensor lab of the Computer Science De-
partment of the University of Geneva. She received a BS degree in electrical engineering and computer
science from the Polytechnic University of Bucharest, in 2004, and a MS degree in computer science
(embedded systems) from the University of Science and Technology of Lille, in 2005. Her research in-
About the Contributors
terests are in sensor networks, mobile ad hoc networks, security, and reputation based trust. Her current
research focuses on security and QoS of routing protocols for sensor networks.
Huansheng Ning received BS degree from Anhui University, China, in 1996, and a PhD degree from
Beihang University, China, in 2001. From 2002 to 2003, he was the CTO of Aerospace Golden Card
Company. Since 2004, he has been an associate professor in Beihang University. His current research
interests include RFID, EM computing, ITS, and so forth.
Josef Noll holds a professor stipend from the University of Oslo in the area of mobile services.
Working areas include mobile authentication, wireless broadband access, personalized services, and the
evolution to 4G systems. He is also senior advisor in Movation, Norway’s leading innovation company
for mobile services. Previously he was senior advisor/group leader at Telenor R&I, project leader of
“Operators’ Vision on Systems Beyond 3G” and other international projects, use-case leader in the EU
“Adaptive Services Grid (ASG)” project, and has initiated a.o. the EU’s 6th FP ePerSpace and several
ITEA and Eurescom projects.
Christoforos Ntantogian received his BSc degree in computer science and telecommunications
from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2006 he
finishedhispostgraduatestudiesincomputersystemstechnologyinthesamedepartm
he is a PhD student. Since 2004 he has been working for the Communication Networks Laboratory of
the University of Athens and he is a member of the Security Group.
Sangheon Pack received the BS (2000) and PhD (2005) degrees from Seoul National University,
both in computer engineering. Since March 2007, he has been an assistant professor in the School of
Electrical Engineering, Korea University, Korea. From July 2006 to February 2007, he was a postdoctoral
fellow at Seoul National University. From 2005 to 2006, he was a postdoctoral fellow in the Broadband
Communications Research (BBCR) Group at University of Waterloo, Canada. His research interests
include mobility management, multimedia transmission, and QoS provision issues in next-generation
wireless/mobile networks. He is a member of the ACM and the IEEE.
Luis E. Palafox received his BS in computer engineering from the University of Baja California
in 1997. He also received his MS degree in digital systems from the National Polytechnic Institute of
Mexico in 2002. In 2004, he enrolled in the PhD program in computer science program at the CICESE
Research Center in Ensenada. He is a faculty member of the School of Chemical Science and Engi-
neering at the University of Baja California since 1999. His areas of interest are computer networking,
embedded systems, wireless sensor networks, and digital signal processing.
About the Contributors
Cyrus Peikari, MD, is a practicing physician and author of several leading technical security books,
including Security Warrior from O’Reilly and Maximum Wireless Security from SAMS. In his work
withAirscannerCorporationhepioneeredsomeofthefirstantivirussolutionsforh
devices. His main area of research is in reverse engineering of “airborne viruses.” Dr. Peikari has been
a popular speaker and keynote at several major security conferences.
Steffen Peter received his diploma in computer science from the Brandenburg University of Tech-
nology at Cottbus (BTU) in 2006. In 2006 he joined the IHP in Frankfurt (Oder), where he was also
involved in developing a hardware TCP accelerator as a student. In his diploma thesis he was developing
hardware cryptography accelerators. He is a member of the mobile middleware group, working on the
researchofsolutionsforsecurityissuesinwirelesssensornetworks.Hehasfiledthr
authored two technical papers. His research interests include security and privacy in mobile environ-
mentsfocusingonefficienthardwareimplementation.
Krzysztof Piotrowski received his Master in computer science from the University of Zielona Gora
(Poland) in 2004. Since 2004, he has been with the IHP in Frankfurt (Oder) where he is a member of
the mobile middleware group. He published 15 refereed technical articles in the area of security and
privacy. His research interests include mobile/wireless communication (focus on privacy and security
issues), especially on resource-constrained devices (wireless sensor networks).
Olivier Powell is a senior researcher at the Computer Science Department of the University of Ge-
neva in Switzerland. He was previously a Swiss National Research Foundation fellow at the Research
and Academic Computer Technology Institute and the University of Patras in Greece. Previously, he
was a post-doctoral research associate at the TCS-sensor lab of the University of Geneva. He received
aPhDincomputerscienceinthefieldofcomplexitytheoryfromtheUniversityofGenevaand
degree in mathematics from the same university. His current research interest is algorithmic aspects of
wireless sensor networks.
Göran Pulkkis, Dr. Tech. from Helsinki University of Technology, is presently senior lecturer in
computer science and engineering at the Department of Business Administration, Media, and Technology
at Arcada Polytechnic, Helsinki, Finland. His current research interests are network security, applied
cryptographic, and quantum informatics
Slim Rekhis holds a PhD and a Master degree in telecommunications from the Engineering School
of Communications (SUP’COM, Tunisia). He is conducting research activities in the area of digital
investigation of security incidents, formal modelling, intrusion detection and tolerance, and wireless
security. Since September 2005, Dr. Rekhis has been an assistant professor in telecommunications.
Angelos Rouskas received the Diploma in Electrical Engineering from the National Technical Uni-
versity of Athens (NTUA), the MSc in communications and signal processing from Imperial College,
London, and the PhD in electrical and computer engineering from NTUA. He is an assistant professor in
the Department of Information and Communication Systems Engineering of the University of Aegean,
Greece, and director of the Computer and Communication Systems Laboratory. Dr. Rouskas has been
involved in several European and Greek funded research projects and has published extensively in the
fieldofmobileandwirelesscommunicationnetworks.
About the Contributors
Miguel A. Ruiz was born in Valdepeñas (Ciudad Real), Spain. He received the Technical Telecom-
munication Engineering and Telecommunication Engineering degrees from the Polytechnic School
at the University of Alcala (Madrid), Spain, in 1999 and 2003, respectively. He is currently working
toward the PhD degree in telecommunications at University Alcala. Since 2000, he has been working
in the Electromagnetic Compatibility Laboratory as technical manager at the High Technology and
Homologation Center (CATECHOM), research support center of the University Alcala. Furthermore, he
is an assistant lecturer at the Electronic Department of the same university. His main research interest
is EMC effect on electrical and electronic automotive systems.
Kumbesan Sandrasegaran holds a PhD in electrical engineering from McGill University (Canada)
(1994), a Masters of Science degree in telecommunication engineering and information Systems from
EssexUniversity(UK)and ,) 8 9 1 ( aBachelorofScience(honors)degreeinelectricalengineeringfirst (
class) (UZ) (1985). Dr Sandrasegaran is a professional engineer (Pr.Eng) (ECSA) and has more than
20 years experience working either as a practitioner, researcher, consultant, and educator in telecom-
munication networks. During this time, he has focused on the planning, optimization, forecasting,
security, and network management of telecommunication networks. At present, he is program head of
ICT Engineering at the Faculty of Engineering, University of Technology Sydney (UTS).
David Sanguino was born in Talavera de la Reina (Toledo), Spain. He received the technical tele-
communication engineering degree from the Polytechnic School at the University of Alcala (Madrid),
Spain, in 2004. He is currently working toward the telecommunication engineering degree at University
Alcala (UAH). Since 2005, he has been working in the Electromagnetic Compatibility Laboratory as
Technician at the High Technology and Homologation Center (CATECHOM), research support center
of the University of Alcala.
Boot-Chong Seet received his PhD in 2005 from the School of Computer Engineering, Nanyang
Technological University (NTU), where he is currently serving as an instructional faculty. Prior to join-
ing NTU, he was with the Singapore-MIT Alliance (SMA), National University of Singapore, where
he worked as a research fellow for a pilot project on adaptive location-aware computing. His current
research interests include ad hoc, mesh, and sensor networks, mobile peer-to-peer computing, vehicular
communications, and emerging broadband wireless technologies. He has over 20 refereed publications
and one patent pending. He is a member of IEEE and ACM SIGMOBILE.
Jean-Marc Seigneur is a senior researcher and lecturer at the University of Geneva. He received his
MScandPhDincomputersciencefromTrinityCollegeDublin.Hismorethaninternational 03 sc
publications cover ubiquitous computing security, trust, reputation, and privacy. He is an international
expert reviewer for French ANR security research projects and the European Commission. He worked
in Hewlett-Packard in France and China. He leads the http://www.trustcomp.org online community on
computational trust management with now more than 190 academic and industrial members. He has
provided technical consulting and presentations to many companies, among them, Philips, Ericsson,
SAP, and Amazon.
Moushumi Sharmin is currently a PhD student at University of Illinois. She received the MS degree
in computer science at Marquette University where she researched pervasive computing, security, and
About the Contributors
privacy in the Ubicomp Research Lab. She completed the BS in computer science and engineering from
Bangladesh University of Engineering and Technology.
Nicolas Sklavos received the PhD degree in electrical and computer engineering, and the diploma in
electrical and computer engineering, in 2004 and 2000, respectively, both from the Electrical & Computer
Engineering Department, University of Patras, Greece. His research interests include cryptography,
wireless communications security, computer networks, and VLSI design. He holds an award for his
PhD thesis on “VLSI Designs of Wireless Communications Security Systems” from IFIP VLSI SOC
2003. He was the general co-chair of MobiMedia’07. He has participated to international journals and
conferences organization as program committee member and guest editor. Dr. N. Sklavos is a member
of the ACM, IEEE, IEE, the Technical Chamber of Greece, and the Greek Electrical Engineering So-
ciety.Hehasauthoredorco-authoreduptoscientific 90 articles,bookschapters,tutori
in the areas of his research.
Nilothpal Talukder is a graduate student in computer science at Marquette University where he re-
searches pervasive computing, security, and privacy in the Ubicomp Research Lab. He completed the BS
in computer science and engineering from Bangladesh University of Engineering and Technology.
Daniela Tibaldi graduated from University of Bologna, Italy, where she received her PhD degree
in computer science engineering in 2006. Her research activity is focused on middleware solutions for
supporting the secure service provisioning in mobile and heterogeneous environments. Since 2002 she
works at the DSAW – Direction and Development of Web Activities of the University of Bologna with
both technical and quality management responsibilities. One of the DSAW main tasks is to build the
University Web sites, services, and the corresponding technological, informative, and organizational
infrastructure to fully support University educational, academic, and administrative activities.
Tom Tofigh is a principal and technical member of the AT&T architecture team. He is responsible
for architecture studies and vendors technology evaluation. Currently, he supports the AT&T labs ad-
vanced services and architecture group. Tom has worked in semiconductor companies as director of
product management, director of software development, and has consulted and worked for a number
of start-ups and had responsibility for architecture and developments of switches and access products.
In addition Tom attended George Washington University and completed his doctoral course work in
electrical engineering and computer science graduate school. Furthermore, Tom has a judicial doctoral
degree from Northern Virginia Law School with emphasis in intellectual properties. Currently, Tom is
the founder and chair of the WiMAX Forum’s Application Architecture Working Group.
Alessandra Toninelli graduated from University of Bologna, Italy, where she is currently a PhD
student in computer science engineering. Her research interests focus on semantic-based middleware
supports for service provisioning, context-aware services, security solutions for pervasive environments,
policy-based service management, and mobile agent systems. She is a member of IEEE and ACM.
Denis TrĉekisprincipalinvestigatoratJozefStefanInstituteandhasbeeninvolved
computer networks, security, and privacy for almost 20 years. He has taken part in various European
projects, as well as domestic projects in government, banking, and insurance sectors. His bibliography
About the Contributors
includes over one hundred titles, including works published by renowned publishers like Springer and
Wiley. D. Trcek has served (and still serves) as a member of various international boards, from editorial
to professional ones. He is inventor of a patented family of light-weight cryptographic protocols. His
interests include e-business, security, trust management, privacy, and human factor modelling.
Yu Wang received the PhD degree in computer science from Illinois Institute of Technology in
2004, and the BEng degree and the MEng degree in computer science from Tsinghua University, China,
in 1998 and 2000. He has been an assistant professor of computer science at the University of North
Carolina at Charlotte since 2004. His current research interests include wireless networks, ad hoc and
sensor networks, mobile computing, and algorithm design. He has published more than 50 papers in
peer-reviewed journals and conferences. Dr. Wang is a recipient of Ralph E. Powe Junior Faculty En-
hancement Awards from Oak Ridge Associated Universities.
Yawen Wei is a PhD candidate in the Department of Electrical and Computer Engineering at Iowa
State University. She obtained her BEng (2004) in electronic engineering from Tsinghua University,
China. Since then she has been doing research on localization security issues and location-based ser-
vices in wireless sensor networks.
Jie Wu is a distinguished research professor at the Department of Computer Science and Engineer-
ing, Florida Atlantic University and a program director at US National Science Foundation. He has
published over 350 papers in various journals and conference proceedings. His research interests are
in the areas of wireless networks and mobile computing, routing protocols, fault-tolerant computing,
and interconnection networks. Dr. Wu was on the editorial board of IEEE Transactions on Parallel
and Distributed Systems and was a co-guest-editor of IEEE Computer and Journal of Parallel and
Distributed Computing. He served as the program co-chair for MASS 2004, program vice-chair for
ICDCS 2001, and program vice-chair for ICPP 2000. He was also general co-chair for MASS 2006 and
is general chair for IPDPS 2008. He is the author of the text Distributed System Design published by
the CRC press. He was also the recipient of the 1996-97, 2001-02, and 2006-07 Researcher of the Year
Award at Florida Atlantic University. Dr. Wu has served as an IEEE Computer Society Distinguished
Visitor and is the chairman of IEEE Technical Committee on Distributed Processing (TCDP). He is a
member of ACM and a senior member of IEEE.
Christos Xenakis received his BSc degree in computer science in 1993 and his MSc degree in
telecommunication and computer networks in 1996, both from the Department of Informatics and
Telecommunications, University of Athens, Greece. In 2004 he received his PhD from the University
of Athens (Department of Informatics and Telecommunications). Since 1996 he has been a member of
the Communication Networks Laboratory of the University of Athens and, currently, he is the head of
0
About the Contributors
the Security Group. In addition, he is a lecturer (faculty of the Department of Technology Education
and Digital Systems) in the University of Piraeus, Greece.
Lu Yan is a research fellow at University College London and a Visiting Fellow at University of
Cambridge. Previously, he was with Department of Information Technologies in Åbo Akademi Univer-
sity, Distributed Systems Design Laboratory in Turku Centre for Computer Science (TUCS), Institute of
Microelectronics (IME) in Peking University. He holds visiting professor positions in both École Supéri-
eure d’Ingénieurs généralistes (ESIGELEC) and École Supérieure de Commerce de Rouen (ESC).
Laurence T. Yang is a professor in computer science at St Francis Xavier University, Canada. His
research includes high performance computing and networking, embedded systems, ubiquitous/perva-
sive computing, and intelligence. He has published around 250 papers in refereed journals, conference
proceedings, and book chapters in these areas. He has been involved in more than 100 conferences and
workshops as a program/general conference chair and more than 200 conference and workshops as a
program committee member. He served as the vice-chair of IEEE Technical Committee of Supercom-
puting Applications (TCSA) until 2004. Currently he is on the executive committee of IEEE Technical
Committee of Scalable Computing (TCSC), of IEEE Technical Committee of Self-Organization and
Cybernetics for Informatics, of IFIP Working Group 10.2 on Embedded Systems, and of IEEE Tech-
nical Committee of Granular Computing. He is also the co-chair of IEEE Task force on Intelligent
Ubiquitous Computing. In addition, he is the editors-in-chief of nine international journals and a few
book series. He is serving as an editor for around 20 international journals. He has been acting as an
author/co-author or an editor/co-editor of 30 books from Kluwer, Springer, Nova Science, American
ScientificPublishers,andJohnWileySons. & HehasreceivedthreeBestPaperAwards,aswell
IEEE 20th International Conference on Advanced Information Networking and Applications (AINA-06);
one IEEE Best Paper Award, 2007; one IEEE Outstanding Paper Award, 2007; Distinguished Achieve-
ment Award, 2005; Distinguished Contribution Award, 2004; Outstanding Achievement Award, 2002;
Canada Foundation for Innovation Award, 2003; and University Research/Publication/Teaching Award
00-02/02-04/04-06.
Hao Yin, is currently an associate professor with the Department of Computer Science and Tech-
nology, Tsinghua University, Beijing, China He received Ph.D. degrees in electrical engineering from
Huazhong University of Science and Technology, China in 2002. His research interests span broad aspects
of network architecture, P2P technology, wireless network, video coding, multimedia communication
over wireless network, and network security. He has published over 50 papers in refereed journal and
conferences. He is on editorial boards of Advances in Multimedia and AD HOC NETWORKS Journal,
and has been involved in organizing over 12 conferences.
Rong Yu was born in Guangdong, China, in 1979. He received his BE degree in communications
engineering from Beijing University of Post and Telecommunications (BUPT), Beijing, China, in 2002.
After that, he joined the Electronic Engineering Department of Tsinghua University, Beijing, China,
where he received his PhD degree at July 2007. His research interests include protocol design and per-
formance analysis of wireless sensor networks and board-band wireless multimedia networks.
About the Contributors
Zhen Yu is a PhD candidate in the Department of Electrical and Computer Engineering at Iowa State
University. He obtained his BEng (1995) and MEng (2001) in electrical engineering from Shanghai Jiao
Tong University, China. He also received his MS in electrical engineering from Iowa State University
in 2003. Since then he has been researching security issues in wireless networks and distributed sys-
tems.
Said Zaghloul is currently a PhD candidate at the Technical University Carolo-Wilhelmina in Braun-
schweig, Germany. Prior to his PhD studies, he was with Sprint-Nextel as a telecommunication design
engineer mainly focusing on wireless IP infrastructures. During his employment at Sprint-Nextel, he
submitted two patents in the area of telecommunication protocols and received excellence awards. In
02, he received the first IEE award for his BSc graduation project in UMTS capacity planning. In
2003, he was granted a Fulbright Scholarship to pursue his MSc studies at the University of Kansas.
In 2005, Mr. Zaghloul received his MSc degree with honors. His research interests include wireless
protocols, IP technologies, and wireless communications.
Guo-Mei Zhu received the BE degree in communication engineering from ChongQing University
of Posts and Telecommunications, Chongqing, China, in 2002. She is currently pursuing her PhD degree
at the School of Telecommunication Engineering, Beijing University of Posts and Telecommunications,
Beijing, China under the supervision of Professor Geng-Sheng Kuo. Her current research interests in-
clude distributed intrusion detection for wireless networks, cross-layer communication protocol design
for wireless networks, next generation wireless networks, and wireless mesh networks.
Albert Y. Zomaya is currently the head of school and the CISCO systems chair professor of internet-
working in the School of Information Technologies, The University of Sydney. He is the author/co-author
of more than 300 publications and serves as an associate editor for several leading journals. Professor
Zomaya is the recipient of the Meritorious Service Award (in 2000) and the Golden Core Recognition
(in 2006), both from the IEEE Computer Society. He is a chartered engineer (CEng), a fellow of the
American Association for the Advancement of Science, the IEEE, and the Institution of Electrical En-
gineers (U.K.), and a distinguished engineer of the ACM.
Aneta Zwierko holds MSc and PhD in telecommunications from Warsaw University of Technology,
Poland. Her doctoral thesis “Cryptographic Protocols for Mobile Agent Systems with Applications” con-
cerned application of cryptographic protocols in mobile environment for providing integrity, anonymity,
and more complex services such as secure e-voting. Her current interest include zero-knowledge proofs
anditsapplication,identification,andauthenticationprotocols,anonymityandpriva
the agent systems, E/M-voting protocols, electronic payments, and AI and its application in security.
Index
Copyright © 2008, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited.
Index
Index
Index
Index
Index
Index
mobile ad hoc networks (MANETs) 461, 479, network access servers (NAS) 298
480, 637 network address translation (NAT) 356, 373
mobile agent, strong 29 network application function (NAF) 382
mobile agent, weakly 29 network convergence 178
mobile application part (MAP) 309, 324 network domain security (NDS) 324
mobile broadband 759 network entities (NEs) 325
mobile broadband wireless access (MBWA) network interface card (NIC) 700
759 network layer 768
mobilecertificateauthority 489 (MOCA) network mobility (NEMO) 184, 395
mobile code, security 28–43 Network Performance 680
mobile devices, and malicious software 1–10 networks 281
mobile devices, Internet access from 6 network selection 289
mobile equipment (ME) 382 new AP (nAP) 715
mobile multimedia services (MMS) 298 new European schemes for signatures, integrity,
mobile network (MONET 396 and encryption (NESSIE) 257
mobile network, and trust management 191 new SGSN (SGSNn) 342
mobile network nodes (MNNs) 396 Newsham, Tim 68
mobilenetworkprefix[MNP]396 next generation networks (NGN) 391, 776
mobile node (MN) 202, 397, 711 node, malicious 419
mobile service switching centre (MSC) 352 node,selfish419
mobile station (MS) 320 node MAC 632
mobile stations (MSs) 500 nonrepudiation 501
mobile system, and access control 176–188 Nordic mobile telephony (NMT) 273
mobile system, and authentication 176–188
mobile system, and authorisation’ 176–188 O
monitoring technique 417 old AP (oAP) 715
multimedia, distribution 249 old SGSN (SGSNo) 342
multimedia, sharing 248 OMA broadcast (BCAST) 386
multimedia encryption, and multimedia water- OMA broadcast smart card service protection
marking 248 profile379
multimedia encryption, in wireless environment on-demand protocol 518
236–255 one-way function trees (OFT) 493
multimedia encryption, requirements of 238 onlinecertificatestatusprotocol 704 (OCSP)
multimedia watermarking, and multimedia open mobile alliance (OMA) 379
encryption 248 open system authentication (OSA) 697
multiple description code (MDC) 248 over-the-air (OTA) 380
over the air service provisioning (OTASP) 372
N
National Institute of Standards and Technology P
(NIST) 256 packed data gateway (PDG) 298
National Security Agency (NSA) 257 packet binary convolutional coding (PBCC)
nearfieldcommunication (NFC)
104 520
Neighbor Graph 721 packet core 372
network-oriented design 280 packet data network (PDN) 352
network-to-network (N2N) 277 packet data protocol (PDP) 344, 353
Network Access Control 721 packet forwarding attacks 419
Index
Index
Index
10
Index
11
Index
wireless multimedia, and encryption algorithms wireless transport layer security (WTLS) 328,
239 368
wireless multimedia, and watermarking algo- wireless wardriving 61–77
rithms 245 wireless wide area network (WWAN) 347
Wireless network 209 WLAN 721
wireless network 189 WLAN-access gateway (WLAN-AG) 298
wireless network, and authentication 193 WLAN-access point name (W-APN) 299
Wireless Networks 721 WLAN authentication and privacy infrastruc-
wireless networks, and security challenges 130 ture (WAPI) 210
wireless networks, and threats in 79 worldwide interoperability for microwave ac-
wireless networks, and vulnerabilities 129–144 cess (WiMAX) 776
wireless networks, channel jamming 130 worm, Cabir 4
wireless networks, illicit use of 81 worm, Mabir 5
wireless networks, intrustion and anomaly wormhole attack 419, 644
detection in 78–94 wormhole attacks 648
wireless networks, passive scanning 81
wirelessnetworks,serviceset- identifier X detec
tion 81 XMLconfigurationaccessprotocol(XCAP)
wirelessnetworks,sniffing81 391
wirelessnetworks,spoofing82 XML document management (XDM) 390
wirelessnetworks,traffic 130analysis
wireless networks, unauthorized access 130 Y
wireless routing protocols 504
Yao graph (YG) 656
Wireless security 724
Wireless Sensor Network (WSN) 209 Z
Wireless sensor networks (WSN) 628
wireless sensor networks (WSN) 617 zone-based IDS (ZBIDS) 425
wireless sensor networks (WSNs) 565
wireless service access, and identity manage-
ment 104–114
12